问题
Ok, so I am fairly new to php and mysql. I am creating a php front end to mysql database. I am using PDO driver to access the database, since it prevents sql injection attacks. So far it has been fine until I came to this problem. I have a search function where a user can type company name full or partial to search for data about it.
Here is PDO statement I am using to carry out the search in database:
SELECT CompName FROM CompanyName
WHERE CompName REGEXP :name
ORDER BY CompName ASC LIMIT 1
So then I can prepare, bind what user types in search field to parameter name and execute the statement. As long as user does not type any metacharacters it works. Here is the very basic regular expression I insert into the PDO statement instead of name:
^whatusertyped -since originally I am looking for a complete match. Since some company names do contain periods and such I want to be able user to type those characters and my regular expression to take them as literals as opposed to metacharacters. So far this is how I have been replacing metacharacters to get their literal meaning:
user types: C. to look for company name that starts with C.
php function inserts ^ and \\\\ to get an output of ^C\\.
mysql gets: ^C\\. and searches for C. in the beginning of company name where period is literal and not meant to say "look for wild card character".
So I am trying for C. because there is a company in the database whose name starts like that and I should get a match, but I don't, the PDO statement returns back an empty array.
I did try the query:
SELECT CompName FROM CompanyName
WHERE CompName REGEXP "^C\\\\."
ORDER BY CompName ASC LIMIT 1
directly in mysql and got back a match and I also directly executed the query in PHP without prepare, bind and got back a match. The problem seems to me is in preparing and binding the search term to a parameter, but I have not been able to figure out what it is exactly and how to solve it. I really want to use bind and prepare like I said to avoid sql injection.
Any help would be greatly appreciated. Hopefully I explained the problem clearly.
回答1:
I believe the value you bind to :name should be just ^C\., not ^C\\.. You don't need to do any escaping for the sql level, just for the regex level (i.e., \. for a literal .).
Also, consider using WHERE CompName LIKE 'C.%'. You don't need a regex here. You would use like so:
function like_escape($s) {
// Do like-expression escaping
return addcslashes($s, '%_');
}
$searchprefix = 'C.';
$sql = 'SELECT CompName FROM CompanyName WHERE CompName LIKE ? ORDER BY CompName ASC';
$stmt = $db->prepare($sql);
$likeclause = like_escape($searchprefix).'%';
$db->bindValue(1, $likeclause, PDO::PARAM_STR);
$stmt->execute();
来源:https://stackoverflow.com/questions/8620641/binding-regular-expression-to-pdo-parameter-in-pdo-statement