Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

[SOLVED] Binding parameters for conditions LIKE %...%

Guys, I think I'm missing something, but don't see what exactly. First query returns, as expected, occurrences in DB:

$id = $this->request->getQuery("id", "string");
$query = $this->request->getQuery("query", "string");
$products = Products::find(array(
    "conditions" => $id . " LIKE '%" . $query . "%'",
    "limit" => 8
));

but the second one returns first 8 rows, instead of occurences of $value:

$value = $this->request->getQuery('value', 'string');
$cities = Cities::find(array(
    'conditions' => 'name LIKE :value:',
    'bind' => array('value' => '%' . $value . '%'),
    'limit' => 8
));

What I'm missing?



404
Accepted
answer

Check the value of $value variable.



11.2k

Hi, @Firnis You're right, $value was empty, just forgot to edit JS :) thx!



84.1k

@chebureque note that "string" filter is not an alphanumeric filter, using that way to filter table columns will not give you the expected result and is in fact opening your application to potential sql injections, at:

$id = $this->request->getQuery("id", "string");
$query = $this->request->getQuery("query", "string");
$products = Products::find(array(
  "conditions" => $id . " LIKE '%" . $query . "%'",
  "limit" => 8
));


11.1k
edited Dec '14

Hi, Phalcon!

How can i use strings (that may contain integers, alpha chars and even some special like underscore) from client/user to safe search with "LIKE %%" condition in database without getting sql injections?

In docs i see only "conditions"=>"name LIKE \"steve%\"" example. Is that safe without binding?

@chebureque note that "string" filter is not an alphanumeric filter, using that way to filter table columns will not give you the expected result and is in fact opening your application to potential sql injections, at:

```php $id = $this->request->getQuery("id", "string"); $query = $this->request->getQuery("query", "string"); $products = Products::find(array( "conditions" => $id . " LIKE '%" . $query . "%'", "limit" => 8 )); ```

edited Mar '15

No, it is not safe. It is just an example you should bind parameters to prevent sql injections.

Hi, Phalcon!

How can i use strings (that may contain integers, alpha chars and even some special like underscore) from client/user to safe search with "LIKE %%" condition in database without getting sql injections?

In docs i see only "conditions"=>"name LIKE \"steve%\"" example. Is that safe without binding?

@chebureque note that "string" filter is not an alphanumeric filter, using that way to filter table columns will not give you the expected result and is in fact opening your application to potential sql injections, at:

```php $id = $this->request->getQuery("id", "string"); $query = $this->request->getQuery("query", "string"); $products = Products::find(array( "conditions" => $id . " LIKE '%" . $query . "%'", "limit" => 8 )); ```

If you are going to use the LIKE with normal bindings you can do it like this example:

$entries   = EntryModel::query();
$entries->where("name LIKE :name:");
$entries->bind(array('name' => '%' . $_POST['filterString'] .'%'));

return $entries->execute();

Worked like a charm :D

If you are going to use the LIKE with normal bindings you can do it like this example:

```php $entries = EntryModel::query(); $entries->where("name LIKE :name:"); $entries->bind(array('name' => '%' . $_POST['filterString'] .'%'));

return $entries->execute(); ```