$sql = "select * from user where name like '%$name%' ";
但是PDO為了避免被SQL injection攻擊,會把符號自動轉換前後加上拖曳字元等,讓攻擊失效,可是這會造成 LIKE 的語法,解析錯誤,所以正確的PDO寫法為
$name = '%'.$name.'%';
$sql = "select * from user where name like :NAME";
$d = $this->DB->prepare($sql);
$d->bindParam(":NAME", $name);
$d->execute();
$data = $d->fetchAll();
沒有留言:
張貼留言