What are the potential pitfalls of using the LIKE operator in a MySQL query in PHP?

When using the LIKE operator in a MySQL query in PHP, one potential pitfall is the risk of SQL injection if user input is not properly sanitized. To prevent this, it is important to use prepared statements with parameterized queries to securely handle user input.

// Example of using prepared statements to securely handle user input with the LIKE operator
$searchTerm = $_POST[&#039;search_term&#039;];

// Establish a database connection
$pdo = new PDO(&#039;mysql:host=localhost;dbname=database_name&#039;, &#039;username&#039;, &#039;password&#039;);

// Prepare a statement with a placeholder for the search term
$stmt = $pdo-&gt;prepare(&quot;SELECT * FROM table_name WHERE column_name LIKE :search_term&quot;);

// Bind the search term to the placeholder
$stmt-&gt;bindParam(&#039;:search_term&#039;, $searchTerm, PDO::PARAM_STR);

// Execute the query
$stmt-&gt;execute();

// Fetch the results
$results = $stmt-&gt;fetchAll();

// Loop through and display the results
foreach ($results as $result) {
    echo $result[&#039;column_name&#039;] . &quot;&lt;br&gt;&quot;;
}

Keywords

LIKE operator MySQL query PHP performance SQL injection

What are the potential pitfalls of using the LIKE operator in a MySQL query in PHP?

Keywords

Related Questions