Member Avatar for cereal

You're welcome! I know, it requires more work and to be precise your script should be modified to use prepared statements, it will help to avoid SQL injections (but not always), something like this should work with PHP 5.2.1 and above:

$query = "SELECT SQL_CALC_FOUND_ROWS test_static_content.title, test_static_content.content, test_static_content.images from test_static_content WHERE upper(test_static_content.images) LIKE :find or upper(test_static_content.title) LIKE :find or upper(test_static_content.content) LIKE :find UNION ALL SELECT test_dynamic_content.title, test_dynamic_content.content, test_dynamic_content.images FROM test_dynamic_content WHERE upper(test_dynamic_content.images) LIKE :find or upper(test_dynamic_content.title) LIKE :find or upper(test_dynamic_content.content) LIKE :find";

And:

try
{
    $find = '%'.$find.'%';
    $pdoStatement = $pdo->prepare($query);
    $pdoStatement->bindParam(':find', $find, PDO::PARAM_STR);
    $pdoStatement->execute();
}

With previouses versions of PHP, instead you have to bind each parameter separately:

$pdoStatement->bindParam(':find1', $find, PDO::PARAM_STR);
$pdoStatement->bindParam(':find2', $find, PDO::PARAM_STR);
$pdoStatement->bindParam(':find3', $find, PDO::PARAM_STR);
...

And obviously match them in the prepared query.

Edited by cereal
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.