My presumption was that this would be escaped by the PDO library. After all, how can PDO know I’m searching for a wildcard or searching for a string containing % ?
id name
------ -----------------------
1 Scallio
2 ScallioXTX
3 Scallio XTX
4 Scallio%
and the code
$pdo=new PDO('mysql:host=localhost;dbname=xxxx', 'xxxx', 'xxxx');
echo '<h1>Using "scallio%"</h1>';
$stmt=$pdo->prepare('SELECT name FROM persons WHERE name LIKE ?');
$stmt->bindValue(1, 'scallio%');
$stmt->execute();
while ($row=$stmt->fetch())
var_dump($row);
echo '<h1>Using "scallio\\%"</h1>';
$stmt=$pdo->prepare('SELECT name FROM persons WHERE name LIKE ?');
$stmt->bindValue(1, 'scallio\\%');
$stmt->execute();
while ($row=$stmt->fetch())
var_dump($row);
If I remember correctly, when you use MySQL with PDO then the prepare statement (bindParam/bindValue) only append quotes to strings, and to any existing quotes in the value.
I.e. if your string is “It’s a nice day.” it becomes " ‘It’‘s a nice day.’ ".
I dont have time to verify this at the moment, but that is what I remember from our tests when we started to use PDO a few years ago. If anyone have the time to check this with the latest version of PHP/MySQL drivers, please post what you find in this thread. Thanks.