0

You're welcome! I know, it requires more work and to be precise your script should be modified to use prepared statements, it will help to avoid SQL injections (but not always), something like this should work with PHP 5.2.1 and above:

$query = "SELECT SQL_CALC_FOUND_ROWS test_static_content.title, test_static_content.content, test_static_content.images from test_static_content WHERE upper(test_static_content.images) LIKE :find or upper(test_static_content.title) LIKE :find or upper(test_static_content.content) LIKE :find UNION ALL SELECT test_dynamic_content.title, test_dynamic_content.content, test_dynamic_content.images FROM test_dynamic_content WHERE upper(test_dynamic_content.images) LIKE :find or upper(test_dynamic_content.title) LIKE :find or upper(test_dynamic_content.content) LIKE :find";

And:

try
{
    $find = '%'.$find.'%';
    $pdoStatement = $pdo->prepare($query);
    $pdoStatement->bindParam(':find', $find, PDO::PARAM_STR);
    $pdoStatement->execute();
}

With previouses versions of PHP, instead you have to bind each parameter separately:

$pdoStatement->bindParam(':find1', $find, PDO::PARAM_STR);
$pdoStatement->bindParam(':find2', $find, PDO::PARAM_STR);
$pdoStatement->bindParam(':find3', $find, PDO::PARAM_STR);
...

And obviously match them in the prepared query.

Edited by cereal

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.