Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
0 votes
543 views
in Q2A Core by
closed by

Using a query like this: 

$postdata = qa_db_read_one_assoc(
qa_db_query_sub('
  SELECT userid, content FROM ^posts 
  WHERE content LIKE "%'.$word.'%"
)
);

will bring security issues.

I'd like to use the $ "placeholder" to insert the $word and have a secure query. But:

$postdata = qa_db_read_one_assoc(
qa_db_query_sub('
  SELECT userid, content FROM ^posts 
  WHERE content LIKE $
), "%'.$word.'%"
);

Does not work.

Is there any way of how to get the % as MYSQL part into the query and use the $ for the qa_db_query_sub().

Q2A version: 1.8.0
closed with the note: Done
by
> Does not work.
1. What error are you getting?
2. What is the content of $word?
by
I just tried again and changed "%'.$word.'%" to '%'.$word.'%' – seems to work now!
by
That makes sense :)
...