你有沒有考慮做這樣的事情,而不是:
$varSearch = @$_GET['dms'];
$varTerm = explode(" ", $varSearch);
$termsStringArray = array();
$termsArray = array();
foreach($varTerm as $term){
$term = trim($term);
if(!empty($term)) {
array_push($termsStringArray, "name LIKE ? OR tags LIKE ? ");
array_push($termsArray, $term);
array_push($termsArray, $term); // note, you can do this part differently, if you'd like
}
}
$implodedTermsString = implode('OR ', $termsStringArray);
$sql = $dbh->prepare("SELECT * FROM biz WHERE " . $implodedTermsString);
$sql->execute(array($termsArray));
輸出:
// prepare statement
SELECT * FROM biz WHERE name LIKE ? OR tags LIKE ? OR name LIKE ? OR tags LIKE ? OR name LIKE ? OR tags LIKE ? OR name LIKE ? OR tags LIKE ?
// $termsArray (for execute)
Array
(
[0] => this
[1] => this
[2] => is
[3] => is
[4] => the
[5] => the
[6] => string
[7] => string
)
基本上,試圖分開來自初始SQL查詢prepare
字符串的數組數據。讓我知道這是否適合你!
儘管如此,您仍然希望對從$_GET
變量獲得的數據進行某種檢查(或清理)。 $_GET
變量可能包含任何內容......並且可能對SQL injections或其他有害問題不好。
並且,LIKE
不一定會成爲執行此類數據庫搜索的最有效方式。但是,如果您使用它(並且我已經將它用於過去的搜索),請嘗試檢出:http://use-the-index-luke.com/sql/where-clause/searching-for-ranges/like-performance-tuning。
可能重複的HTTP :/ /stackoverflow.com/questions/583336/how-do-i-create-a-pdo-parameterized-query-with-a-like-statement-in-php) – Brad 2012-01-31 04:36:47
謝謝,我回答了我自己的問題,並張貼它可以防止其他人需要它 – hellomello 2012-01-31 04:58:48