New users ask how to prevent SQL injection to create a table model $ news_tablenew & nbsp; news (); create an adapter $ db $ news_table-& gt; getAdapter (); prepare the SQL statement $ SQL $ db-& gt; quoteInto (select & nbsp; title, pubDate & nbsp; from & nbsp; new beginner's advice on how to prevent SQL injection through fuzzy search
// Create a table model
$ News_table = new news ();
// Create the corresponding adapter
$ Db = $ news_table-> getAdapter ();
// Prepare SQL statements
$ SQL = $ db-> quoteInto ("select title, pubDate from news where title like '% $ keyword_arr [0] % '");
// Obtain the result set
$ Res = $ db-> query ($ SQL)-> fetchAll ();
I need to perform fuzzy query. I want to include the "%" sign, and the variable name "$" and the array subscript operator "[]". However, I want to prevent others from using "%" and other such items for SQL injection, how should I write this sentence ??
------ Solution --------------------
Add mysql_real_escape_string ();
However, mysql_real_escape_string does not escape % and _. Therefore, you can use str_replace () to remove unwanted symbols.