PHP PDO 准备语句——MySQL LIKE 查询

Question

我正在尝试通过 php 的 PDO 类(mysql 驱动程序)进行搜索。我在 MySQL 客户端上执行以下查询(表名已更改以保护无辜者):

SELECT    hs.hs_pk, 
          hs.hs_text, 
          hs.hs_did, 
          hd.hd_did, 
          hd.hd_text, 
          hv.hv_text, 
          hc.hc_text 
FROM      hs 
LEFT JOIN hd 
 ON       hs.hs_did = hd.hd_did 
LEFT JOIN hd 
 ON       hd.hd_vid = hv.hv_id 
LEFT JOIN hc 
 ON       hd.hd_pclass = hc.hc_id
WHERE     hs.hs_text LIKE "%searchTerm%"
LIMIT 25;

无论我使用什么搜索词，这都像一个魅力。但是，当我转向 php 时，我无法让它返回任何内容。我尝试了几种不同的语法，这些语法似乎合乎逻辑，但我尝试过的都不起作用。这是我现有的代码:

$handle = fopen('/foo/bar/test.log', 'w+');
fwrite($handle, "doSearch, with search term: $searchTerm\n");
$sql = 
'SELECT   hs.hs_pk, 
          hs.hs_text, 
          hs.hs_did, 
          hd.hd_did, 
          hd.hd_text, 
          hv.hv_text, 
          hc.hc_text 
FROM      hs 
LEFT JOIN hd 
 ON       hs.hs_did = hd.hd_did 
LEFT JOIN hd 
 ON       hd.hd_vid = hv.hv_id 
LEFT JOIN hc 
 ON       hd.hd_pclass = hc.hc_id
WHERE     hs.hs_text LIKE :searchTerm
LIMIT 25';

try {
 $dbh = new PDO('mysql:host=localhost;dbname=awdb', "user", "password");
 fwrite($handle, "connected to DB\n");
 $prep = $dbh->prepare($sql);
 $ret = $prep->execute(array(':searchTerm' => '"%'.$searchTerm.'%"'));

 while ($row = $prep->fetch(PDO::FETCH_ASSOC)) {
  $i++;
  $result[$i]['subText'] = $row['hs_pk'];
  $result[$i]['subText'] = $row['hs_text'];
  $result[$i]['subDid'] = $row['hs_did'];
  $result[$i]['devDid'] = $row['hd_did'];
  $result[$i]['devText'] = $row['hd_text'];
  $result[$i]['vendorText'] = $row['hv_text'];
  $result[$i]['classText'] = $row['hc_text'];
 }
    $dbh = null;
}   
catch (PDOException $e) {
  print "Error!: " . $e->getMessage() . "<br/>";
  die();
}

我也尝试了以下方法(SQL WHERE 子句和 prep->execute 行都是更改):

WHERE hs.hs_text LIKE CONCAT(\'%\', ?, \'%\') 
$ret = $prep->execute(array($searchTerm));

WHERE hs.hs_text LIKE "%:searchTerm%" 
$ret = $prep->execute(array(':searchTerm' => $searchTerm));

WHERE hs.hs_text LIKE ":searchTerm" 
$ret = $prep->execute(array(':searchTerm' => '%'.$searchTerm.'%'));

等等...

Answer 1

$ret = $prep->execute(array(':searchTerm' => '"%'.$searchTerm.'%"'));

这是错误的。您不需要双引号。

WHERE hs.hs_text LIKE ":searchTerm" 
$ret = $prep->execute(array(':searchTerm' => '%'.$searchTerm.'%'));

这也是错误的。 尝试使用:

$prep = $dbh->prepare($sql);
$ret = $prep->execute(array(':searchTerm' => '%'.$searchTerm.'%'));

说明:准备好的语句不仅仅执行字符串替换。它们传输的数据与查询完全分开。仅当将值嵌入到查询中时才需要引号。