From: taco at procurios dot nl Operating system: linux PHP version: 5.2.6 PHP Bug Type: PDO related Bug description: There is no good method to escape a string for use in a (mySQL) LIKE clause
Description: ------------ There is no good method to escape a string for use in a (mySQL) LIKE clause. In a query like "SELECT `foo` FROM `bar` WHERE `baz` LIKE '%" . $qux . "%'" the value of $qux should be escaped for both the query itself (like PDO::quote() does) as the LIKE clause (i.e. escaping % and _ characters. Using PDO the only way to escape a variable is using either PDOStatement::bindParam() or PDO::quote(). The first is not suitable for two reasons: 1. Not every query is a prepared statement 2. There is no way to escape % and _ (escaping them first will result in the \ being escaped: \% becomes \\%) The latter is not suitable because it will add quotes to the string, so you'll have to get rid of the quotes, escape % and _ and add the result to the query. -- Edit bug report at http://bugs.php.net/?id=46556&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46556&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46556&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46556&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=46556&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=46556&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=46556&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=46556&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=46556&r=needscript Try newer version: http://bugs.php.net/fix.php?id=46556&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=46556&r=support Expected behavior: http://bugs.php.net/fix.php?id=46556&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=46556&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=46556&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=46556&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46556&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=46556&r=dst IIS Stability: http://bugs.php.net/fix.php?id=46556&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=46556&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=46556&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=46556&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=46556&r=mysqlcfg
