in reply to Re^2: Quoting Strings For SQL LIKE queries
in thread Quoting Strings For SQL LIKE queries

If you use $dbh->quote() on a string, that puts quote marks around it, so when you put more quotes around it in your SQL you are ruining it. Here are two ways to do it: 
$str = $dbh->quote("%it's not a problem%");
$sth = $dbh->prepare(
   "SELECT * FROM practice WHERE name LIKE $str"
) || die "Error: " . $dbh->errstr;
$sth->execute() || die "Error: " . $sth->errstr;

OR BETTER

$str = "%it's not a problem%";
$sth = $dbh->prepare(
   "SELECT * FROM practice WHERE name LIKE ?"
) || die "Error: " . $dbh->errstr;
$sth->execute($str) || die "Error: " . $sth->errstr;

[download]
Note that I also changed $dbh->errstr to $sth->errstr for your execute, the error is in whatever handle you are using ($dbh for prepare, $sth for execute).

Replies are listed 'Best First'.
Re^4: Quoting Strings For SQL LIKE queries
by Cody Pendant (Prior) on Dec 22, 2004 at 01:27 UTC
    Ah, I see. Of course it puts quotes around it.

    But there's still something I don't get.

    If I use your code, and print $str after you've quoted it: 

    $str = $dbh->quote("%it's not a problem%");

print "<p>quoted: $str</p>";

    [download]

    I can see that it's been changed into '%it\'s not a problem%'

    And it works.

    But if I use that string literally, as in: 

    $sth = $dbh->prepare(
"SELECT name FROM practice WHERE name LIKE '%it\'s not a problem%' "
) || die "Error: " . $dbh->errstr;

    [download]

    I get the error again.

    And if instead I use this: 

    $sth = $dbh->prepare(
"SELECT name FROM practice WHERE name LIKE '%it''s not a problem%' "
) || die "Error: " . $dbh->errstr;

    [download]
    Then it works. Can you see the disconnect, and why I "deduced", wrongly it seems, that there are two different kinds of quoting?

    ($_='kkvvttuubbooppuuiiffssqqffssmmiibbddllffss')
    =~y~b-v~a-z~s; print
[reply]
[d/l]
[select]
      Yes, :-), I can certainly see why you'd get confused. There are sooo many levels of quoteing - perl quoting, SQL quoting, DBI quoting ... so lots of people do get confused about it. The SQL standard says that the proper way to quote an apostrophe is to double it so that two-apostrophes are really one literal apostrophe. MySQL and some other databases additionally allow you to use a backslash as an escape character so that backslash-apostrophe is the the same as two apostrophes, i.e. both are equal to one literal apostrophe.

      Ok, so why didn't this work"SELECT name FROM practice WHERE name LIKE '%it\'s not a problem%' " ??? Well print it out and you'll see it doesn't contain a backslash :-) because now perl is seeing the backslash in the string and *perl* (not SQL) says backslash apostrophe is the same as apostrophe, so SQL never even sees the backslash.

      Still confused? I am. That's why I use placeholders, they're simpler (and safer, and sometimes more efficient).

[reply]
        I think I reached my final forehead-slap and I now really get it. Thanks for your patience.

        ($_='kkvvttuubbooppuuiiffssqqffssmmiibbddllffss')
        =~y~b-v~a-z~s; print
[reply]

In Section Seekers of Perl Wisdom