How to prevent SQL injection in fuzzy search

Source: Internet
Author: User
Tags how to prevent sql injection
New users ask how to prevent SQL injection by fuzzy query // create a table model
$ News_table = new news ();
// Create the corresponding adapter
$ Db = $ news_table-> getAdapter ();
// Prepare SQL statements
$ SQL = $ db-> quoteInto ("select title, pubDate from news where title like '% $ keyword_arr [0] % '");
// Obtain the result set
$ Res = $ db-> query ($ SQL)-> fetchAll ();
I need to perform fuzzy query. I want to include the "%" sign, and the variable name "$" and the array subscript operator "[]". However, I want to prevent others from using "%" and other such items for SQL injection, how should I write this sentence ??


Reply to discussion (solution)

Add mysql_real_escape_string ();
However, mysql_real_escape_string does not escape % and _. Therefore, you can use str_replace () to remove unwanted symbols.

This SQL statement can be written for me.
I'm a Cainiao.

This SQL statement can query the results, but one error and one warning are recorded in my error log file.
PHP Warning: Missing argument 2 for Zend_Db_Adapter_Abstract: quoteInto (),
Called in E: \ myenv \ Apache \ htdocs \ news \ application \ controllers \ NewsqueryController. php on line 44 and defined in E: \ myenv \ Apache \ htdocs \ news \ library \ Zend \ Db \ Adapter \ Abstract. php on line 927

PHP Notice: Undefined variable: value in
E: \ myenv \ Apache \ htdocs \ news \ library \ Zend \ Db \ Adapter \ Abstract. php
On line 930
I don't know where the problem is

1. the end_Db_Adapter_Abstract: quoteInto () function in the Abstract. php 927 row loses parameter 2, that is, you have missing a parameter
2. PHP Notice: Undefined variable: value
$ Value is not defined. in the Abstract. php 930 line

% How to implement this injection?

I also want to know that it is necessary to filter the parameters and find out the characters to be filtered, force exit or replace them.

Mysql_real_escape_string
And
Mysql_escape_string

What are the differences ??

$ Db-> quoteInto ("select title, pubDate from news where title like '% $ keyword_arr [0] % '");
The quoteInto method requires two parameters.

To #7
The latter has been included in the outdated series

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.