Novice ask how fuzzy queries prevent SQL injection

Creating a Table Model
$news _table=new News ();
Create the appropriate adapter
$db = $news _table->getadapter ();
Prepare the SQL statement.
$sql = $db->quoteinto ("Select Title,pubdate from the news where title like '% $keyword _arr[0]% '");
Get result set
$res = $db->query ($sql)->fetchall ();
I need to fuzzy query, intentionally to take the% number, but also has the variable name $ number, the array subscript operator [], but also to prevent others to use such things as% of SQL injection, this sentence how to write ah??

Reply to discussion (solution)

Add a mysql_real_escape_string ();
However mysql_real_escape_string do not escape the% and _ so you can Str_replace (), remove the unwanted symbols.

This SQL can help write it out to me try not
I'm a rookie.

This SQL can query the results, but I recorded 1 errors and a warning in my error log file.
PHP warning:missing Argument 2 for Zend_db_adapter_abstract::quoteinto (),
Called in E:\myenv\Apache\htdocs\news\application\controllers\NewsqueryController.php on line, and defined in E:\ myenv\apache\htdocs\news\library\zend\db\adapter\abstract.php on line 927

PHP notice:undefined Variable:value in
E:\myenv\Apache\htdocs\news\library\Zend\Db\Adapter\Abstract.php
On line 930
I don't know where there's a problem.

1, abstract.php 927 line of the End_db_adapter_abstract::quoteinto () function is missing parameter 2, that is, you pass a parameter less
2, PHP notice:undefined variable:value
$value not defined, in abstract.php 930 lines

% how to achieve this injection?

I also want to know, should be to filter the parameters, found to filter the characters, forced to quit or replace.

Mysql_real_escape_string
And
Mysql_escape_string

What's the difference??

$db-Quoteinto ("Select Title,pubdate from the news where title like '% $keyword _arr[0]% '");
Method Quoteinto requires two parameters

To #7
The latter has been included in the obsolete series

