Re^2: Quoting Strings For SQL LIKE queries

Sorry, you're quite right, that was just an example and I should have posted

    SELECT * FROM foo WHERE bar LIKE '%it's not a problem%'
[download]

or similar.

OK for an example of it not working? If I do this:

$str = $dbh->quote("it's not a problem");

$sth = $dbh->prepare(
"SELECT * FROM practice WHERE name LIKE '%$str%'"
) || die "Error: " . $dbh->errstr;

$sth->execute() || die "Error: " . $dbh->errstr;
[download]

I get an error:

Error: You have an error in your SQL syntax. Check the manual that cor
+responds to your MySQL server version for the right syntax to use nea
+r 'it\'s not a problem'%'' at line 1 at /foo/bar.cgi line 29.
[download]

What I'm saying is, the quote() function puts backslashes before my apostrophes. But that's not what I need if it's LIKE (something containing an apostrophe). What am I missing?

($_='kkvvttuubbooppuuiiffssqqffssmmiibbddllffss')
=~y~b-v~a-z~s; print

Comment on Re^2: Quoting Strings For SQL LIKE queries Select or Download Code

Replies are listed 'Best First'.
Re^3: Quoting Strings For SQL LIKE queries by jZed (Prior) on Dec 22, 2004 at 01:07 UTC
If you use $dbh->quote() on a string, that puts quote marks around it, so when you put more quotes around it in your SQL you are ruining it. Here are two ways to do it: `$str = $dbh->quote("%it's not a problem%"); $sth = $dbh->prepare( "SELECT * FROM practice WHERE name LIKE $str" ) \|\| die "Error: " . $dbh->errstr; $sth->execute() \|\| die "Error: " . $sth->errstr; OR BETTER $str = "%it's not a problem%"; $sth = $dbh->prepare( "SELECT * FROM practice WHERE name LIKE ?" ) \|\| die "Error: " . $dbh->errstr; $sth->execute($str) \|\| die "Error: " . $sth->errstr;` [download] Note that I also changed $dbh->errstr to $sth->errstr for your execute, the error is in whatever handle you are using ($dbh for prepare, $sth for execute).	[reply] [d/l]
Re^4: Quoting Strings For SQL LIKE queries by Cody Pendant (Prior) on Dec 22, 2004 at 01:27 UTC
Ah, I see. Of course it puts quotes around it. But there's still something I don't get. If I use your code, and print $str after you've quoted it: `$str = $dbh->quote("%it's not a problem%"); print "<p>quoted: $str</p>";` [download] I can see that it's been changed into `'%it\'s not a problem%'` And it works. But if I use that string literally, as in: `$sth = $dbh->prepare( "SELECT name FROM practice WHERE name LIKE '%it\'s not a problem%' " ) \|\| die "Error: " . $dbh->errstr;` [download] I get the error again. And if instead I use this: `$sth = $dbh->prepare( "SELECT name FROM practice WHERE name LIKE '%it''s not a problem%' " ) \|\| die "Error: " . $dbh->errstr;` [download] Then it works. Can you see the disconnect, and why I "deduced", wrongly it seems, that there are two different kinds of quoting? ($_='kkvvttuubbooppuuiiffssqqffssmmiibbddllffss') =~y~b-v~a-z~s; print	[reply] [d/l] [select]
Re^5: Quoting Strings For SQL LIKE queries by jZed (Prior) on Dec 22, 2004 at 01:35 UTC
Yes, :-), I can certainly see why you'd get confused. There are sooo many levels of quoteing - perl quoting, SQL quoting, DBI quoting ... so lots of people do get confused about it. The SQL standard says that the proper way to quote an apostrophe is to double it so that two-apostrophes are really one literal apostrophe. MySQL and some other databases additionally allow you to use a backslash as an escape character so that backslash-apostrophe is the the same as two apostrophes, i.e. both are equal to one literal apostrophe. Ok, so why didn't this work"SELECT name FROM practice WHERE name LIKE '%it\'s not a problem%' " ??? Well print it out and you'll see it doesn't contain a backslash :-) because now perl is seeing the backslash in the string and perl (not SQL) says backslash apostrophe is the same as apostrophe, so SQL never even sees the backslash. Still confused? I am. That's why I use placeholders, they're simpler (and safer, and sometimes more efficient).	[reply]
Re^6: Quoting Strings For SQL LIKE queries by Cody Pendant (Prior) on Dec 22, 2004 at 01:50 UTC
Re^3: Quoting Strings For SQL LIKE queries (have a cookie) by tye (Sage) on Dec 22, 2004 at 06:32 UTC
Ohh, what's really going to bake your noodle later on is, how do you portably quote the '%' or '_' in $str (you want to search for `bar`s that mention "the 7% solution"). - tye	[reply]