[SOLVED] Binding parameters for conditions LIKE %...%

Question

[SOLVED] Binding parameters for conditions LIKE %...%

chebureque Jun '13

Created Jun '13	Last Reply Feb '17	Replies 6	Views 9158	Votes 1

chebureque 19.2k

Jun '13

Guys, I think I'm missing something, but don't see what exactly. First query returns, as expected, occurrences in DB:

$id = $this->request->getQuery("id", "string");
$query = $this->request->getQuery("query", "string");
$products = Products::find(array(
    "conditions" => $id . " LIKE '%" . $query . "%'",
    "limit" => 8
));

but the second one returns first 8 rows, instead of occurences of $value:

$value = $this->request->getQuery('value', 'string');
$cities = Cities::find(array(
    'conditions' => 'name LIKE :value:',
    'bind' => array('value' => '%' . $value . '%'),
    'limit' => 8
));

What I'm missing?

1

Andrey
404

Accepted
answer

Jun '13

Check the value of $value variable.

chebureque · Answer 1 · 2013-06-25T00:22:14-07:00

chebureque
19.2k

Jun '13

Hi, @Firnis You're right, $value was empty, just forgot to edit JS :) thx!

Phalcon · Answer 2 · 2013-06-26T08:46:49-07:00

@chebureque note that "string" filter is not an alphanumeric filter, using that way to filter table columns will not give you the expected result and is in fact opening your application to potential sql injections, at:

$id = $this->request->getQuery("id", "string");
$query = $this->request->getQuery("query", "string");
$products = Products::find(array(
  "conditions" => $id . " LIKE '%" . $query . "%'",
  "limit" => 8
));

Roman · Answer 3 · 2014-12-24T03:43:40-07:00

Hi, Phalcon!

How can i use strings (that may contain integers, alpha chars and even some special like underscore) from client/user to safe search with "LIKE %%" condition in database without getting sql injections?

In docs i see only "conditions"=>"name LIKE \"steve%\"" example. Is that safe without binding?

@chebureque note that "string" filter is not an alphanumeric filter, using that way to filter table columns will not give you the expected result and is in fact opening your application to potential sql injections, at:
$id = $this->request->getQuery("id", "string");
$query = $this->request->getQuery("query", "string");
$products = Products::find(array(
 "conditions" => $id . " LIKE '%" . $query . "%'",
 "limit" => 8
));

Ilgıt Yıldırım · Answer 4 · 2015-03-04T08:27:25-07:00

No, it is not safe. It is just an example you should bind parameters to prevent sql injections.

Hi, Phalcon!

How can i use strings (that may contain integers, alpha chars and even some special like underscore) from client/user to safe search with "LIKE %%" condition in database without getting sql injections?

In docs i see only "conditions"=>"name LIKE \"steve%\"" example. Is that safe without binding?
@chebureque note that "string" filter is not an alphanumeric filter, using that way to filter table columns will not give you the expected result and is in fact opening your application to potential sql injections, at:
$id = $this->request->getQuery("id", "string");
$query = $this->request->getQuery("query", "string");
$products = Products::find(array(
 "conditions" => $id . " LIKE '%" . $query . "%'",
 "limit" => 8
));

Walter Pulido · Answer 5 · 2016-06-23T16:14:08-07:00

If you are going to use the LIKE with normal bindings you can do it like this example:

$entries   = EntryModel::query();
$entries->where("name LIKE :name:");
$entries->bind(array('name' => '%' . $_POST['filterString'] .'%'));

return $entries->execute();

Danny Feliz · Answer 6 · 2017-02-23T08:44:16-07:00

Worked like a charm :D

If you are going to use the LIKE with normal bindings you can do it like this example:
$entries   = EntryModel::query();
$entries->where("name LIKE :name:");
$entries->bind(array('name' => '%' . $_POST['filterString'] .'%'));

return $entries->execute();