Comment préparer correctement une instruction SQL% LIKE%?

Question

Comment préparer correctement une instruction SQL% LIKE%?

- 38
- 42508 2011-02-08
J'aimerais utiliser uneinstruction LIKE%text%touten utilisant la classe WordPress $ wpdbpournettoyeret préparer l'entrée.

SELECT column_1 from `prefix_my_table` WHERE column_2 LIKE '%something%';

J'aiessayé quelque chose comme çaen vain:

$wpdb->prepare( "SELECT column_1 from `{$wpdb->base_prefix}my_table` WHERE column_2 LIKE %s;", like_escape($number_to_put_in_like));

Commentpréparer correctement uneinstruction SQL% LIKE%en utilisant la classe debase de données WordPress?
I'd like to use a LIKE %text% statement while still using the WordPress $wpdb class to sanitize and prepare input.

SELECT column_1 from `prefix_my_table` WHERE column_2 LIKE '%something%';

I've tried something like this to no avail:

$wpdb->prepare( "SELECT column_1 from `{$wpdb->base_prefix}my_table` WHERE column_2 LIKE %s;", like_escape($number_to_put_in_like));

How do you properly prepare a %LIKE% SQL statement using the WordPress database class?
mysql wpdb sql

3 réponses

votes

- 4
- 2011-02-08
Vous devez doubler lespourcentages afin qu'ilsne soientpastraités comme desmarqueurs defragmentpar wpdb->prepare():

$wpdb->prepare( "SELECT column_1 from `{$wpdb->base_prefix}my_table` WHERE column_2 LIKE %%%s%%;", $wpdb->esc_like( $number_to_put_in_like));

PSn'estpas sûr que ce soit lameilleure/la seulefaçon de lefaire.
You need to double percent so they are no treated like fragment markers by wpdb->prepare():

$wpdb->prepare( "SELECT column_1 from `{$wpdb->base_prefix}my_table` WHERE column_2 LIKE %%%s%%;", $wpdb->esc_like( $number_to_put_in_like));

PS not sure this is best/only way to do it.
- N'oubliezpas que ** vous devez ajouter lesguillemets autour de la chaîne vous-même **,car [`wpdb ::prepare`ne les ajoutera quepour un`% s` quin'estpasprécédé d'un `%`] (http://core.trac.wordpress.org/browser/tags/3.0.5/wp-includes/wp-db.php # L899).La dernièrepartie de votre requête doit être `` WHERE column_2 LIKE '%%% s %%' '.
  
  Remember that **you must add the quotes around the string yourself**, because [`wpdb::prepare` will only add them for a `%s` that is not preceded by an `%`](http://core.trac.wordpress.org/browser/tags/3.0.5/wp-includes/wp-db.php#L899). The final part of your query should be `WHERE column_2 LIKE '%%%s%%'`.
  - 4
  - 2011-02-08
  - Jan Fabry
- 2
- 2012-10-25
Voici unefaçon deprocéder quej'ai vérifiéeet quifonctionne:

$search_text = "%" . $_GET['some_text'] . "%"; $user_count = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM mix_library WHERE ml_setting_name LIKE %s", $search_text ) );

Remplacez les variables selon vosbesoins.
This is one way to do it that I've checked and it works:

$search_text = "%" . $_GET['some_text'] . "%"; $user_count = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM mix_library WHERE ml_setting_name LIKE %s", $search_text ) );

Replace variables to suit your needs.
- Vous devez échapper les caractères `%` (en utilisant `like_escape ()`. Voir: http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks
  
  You should escape `%` characters (by using `like_escape()`. See: http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks
  - 5
  - 2012-10-25
  - Stephen Harris

Jan Fabry · Accepted Answer · 2011-02-08

55

2011-02-08

Lafonction $wpdb->esc_likeexiste dans WordPress car l'échappementnormal de labase de donnéesn'échappepas les caractères %et _. Cela signifie que vouspouvez les ajouter dans vos arguments à wpdb::prepare() sansproblème. C'est aussi ce queje vois dans le code WordPress debase :

 $wpdb->prepare(" AND $wpdb->usermeta.meta_key = '{$wpdb->prefix}capabilities' AND $wpdb->usermeta.meta_value LIKE %s", '%' . $this->role . '%');

Votre code ressemblerait donc à:

 $wpdb->prepare(
    "SELECT
        column_1
    FROM
        `{$wpdb->base_prefix}my_table`
    WHERE
        column_2 LIKE %s;",
    '%' . $wpdb->esc_like($number_to_put_in_like) . '%'
);

Vouspouvez également ajouter %% dans votre requêtepour obtenir un littéral % (wpdb::prepare() utilise vsprintf()en arrière-plan, qui a cette syntaxe ),mais rappelez-vous que votre chaîne serane pas être cité ,vous devez ajouter lesguillemets vous-même (ce quin'estpas ce que vous avezgénéralement àfaire dans wpdb::prepare().

The $wpdb->esc_like function exists in WordPress because the regular database escaping does not escape % and _ characters. This means you can add them in your arguments to wpdb::prepare() without problem. This is also what I see in the core WordPress code:

$wpdb->prepare(" AND $wpdb->usermeta.meta_key = '{$wpdb->prefix}capabilities' AND $wpdb->usermeta.meta_value LIKE %s", '%' . $this->role . '%');

So your code would look like:

$wpdb->prepare(
    "SELECT
        column_1
    FROM
        `{$wpdb->base_prefix}my_table`
    WHERE
        column_2 LIKE %s;",
    '%' . $wpdb->esc_like($number_to_put_in_like) . '%'
);

You can also add %% in your query to get a literal % (wpdb::prepare() uses vsprintf() in the background, which has this syntax), but remember that your string will not be quoted, you must add the quotes yourself (which is not what you usually have to do in wpdb::prepare().

à quoi servent les «{}»?

what are the `{}` for ?
- 0
- 2014-08-20
- Francisco Corrales Morales
@FranciscoCorralesMorales: Pourindiquer quetout ce qu'il contient doit être considéré [uneexpression variable] (http://stackoverflow.com/questions/2596837/curly-braces-in-string-in-php),sinonilne verrait que `$wpdb`,et ignorez lepréfixe `- >` après.

@FranciscoCorralesMorales: To indicate that everything inside it should be considered [a variable expression](http://stackoverflow.com/questions/2596837/curly-braces-in-string-in-php), otherwise it would only see `$wpdb`, and ignore the `->prefix` after it.
- 0
- 2014-08-21
- Jan Fabry
@JanFabry Fermer.Je corrigerais le commentairepour dire: "... sinonil verraittout` $ wpdb->base_prefixmy_table`et essayerait de rechercher lapropriété `base_prefixmy_table` au lieu de simplement`base_prefix`.

@JanFabry Close. I would correct the comment to say: "... otherwise it would see all of `$wpdb->base_prefixmy_table` and try to to look up `base_prefixmy_table` property instead of just `base_prefix`.
- 1
- 2017-10-10
- Flimm