问题
Is there any functional difference between these two approaches of binding a pattern for a LIKE clause via prepared statements?
Constructing the pattern in the client:
$stmt = $db->prepare('SELECT * FROM foo WHERE bar LIKE ?'); $stmt->bindValue(1, '%' . $searchTerm . '%');Constructing the pattern within SQL:
$stmt = $db->prepare("SELECT * FROM foo WHERE bar LIKE CONCAT('%', ?, '%')"); $stmt->bindValue(1, $searchTerm);
This example uses PHP's PDO adapter, but this is not specific to PHP, PDO, or any client in particular. Any client in any language should yield the same results. If that's not the case and there is a difference, please let me know that as well.
(This is a point of contention that came up in a different context, and I'm looking for an official answer. IMO and AFAIK both methods yield the same result, and the former seems saner to me, though that's arguably mostly a question of style.)
来源:https://stackoverflow.com/questions/35513505/binding-a-like-pattern-value-two-different-approaches