How to splice strings in mysql using parameterized query and like fuzzy query

Source: Internet
Author: User

Mysql uses parameterized query and like fuzzy query. How to splice string curiosity is the source of learning power: Because diving in the Group saw a discussion about SQL injection, I tried to enter single quotes in the search box of my own program, the Program reported an error and started to modify it to a parameterized query. The nightmare started .. He moved out of the DBHelper (the operation class using parameterized query) written at graduation and replaced the DBHelper in the program for convenience (let's just say. Start to install common logic stitching: SQL + = "where t. realName like '%? RealName % '"; // failed. No data can be found in any case. Cause of failure: Is it said that ''is enclosed in quotation marks? RealName. The program considers this string as a non-Keyword and does not parse it. After that, I tried a format similar to this, for example, SQL + = "where t. realName like '%" + "? RealName "+" % '"; // you want? RealName is used as a parameter for program identification. The disadvantages of poor foundation are exposed. It is pointed out by experts that this is obviously a concatenation of strings, and it is hard to be ashamed. For more information, see SQL + = "where t. realName like '%' +? RealName + '%' "; // throw an exception. Then I want to use another method to create a relationship if there is no relationship between the two tables. // This sentence has a great impact on me and has benefited a lot. At that time, it was mssql with a data format such as,. These numbers are the ID columns of another table and are associated using charindex. Run the question ------- I went through google query and used the following SQL: SQL + = "where instr (t. realName ,? RealName)> 0 "; // the query is normal, and a little worried about the use of functions in the query, resulting in the failure to use the index, resulting in performance decline, worried .. After lunch, I wrote an SQL statement from Ji you Alex and tried the following: SQL + = "where t. realName like concat (? RealName, '%') "; // query succeeded. This is a special String concatenation method in mysql. It really hurts me... External question: mssql is spliced with a plus sign, oracle is | spliced, mysql is concat (var1, var2 ,.....) splicing Summary: 1. Although I helped my colleagues solve a query using the concat function a few days ago, I am ashamed to use it myself. 2. When I graduated from college, I still wrote parameterized queries all day long, but I am constantly looking for ways to be lazy. People are getting worse. 3. The foundation is poor. I will suffer if I have to make up for it one day later. 4. You need to explain whether using a function in a query will cause index failure. 5. mysql has a full-text search, which seems to be a weakness.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.