От Ръководство за MySQL :
Така че трябва да екранирате низ за LIKE
оператор в две стъпки.
В PHP може да бъде така:
// Your search string, for example, from POST field
$string = $_POST['column'];
// First step - LIKE escaping
$string = str_replace(array('\\', '_', '%'), array('\\\\', '\\_', '\\%'), $string);
// Second step - literal escaping
$string = mysql_real_escape_string($string);
// Result query
mysql_query("SELECT * FROM `table` WHERE `column` LIKE '%".$string."%'");
АКТУАЛИЗАЦИЯ:
Използвайте MySQLi
// Connect to database
$mysqli = new mysqli('localhost', 'username', 'password', 'database');
// Your search string, for example, from POST field
$string = $_POST['column'];
// First step - LIKE escaping
$string = str_replace(['\\', '_', '%'], ['\\\\', '\\_', '\\%'], $string);
// Second step - literal escaping
$string = $mysqli->real_escape_string($string);
// Result query
$mysqli->query("SELECT * FROM `table` WHERE `column` LIKE '%{$string}%'");
Използвайте PDO
// Connect to database
$conn = new PDO('mysql:host=localhost;dbname=database', 'username', 'password');
// Your search string, for example, from POST field
$string = $_POST['column'];
// First step - LIKE escaping
$string = str_replace(['\\', '_', '%'], ['\\\\', '\\_', '\\%'], $string);
// Second step - literal escaping
$string = $conn->quote($string);
// Result query
$conn->query("SELECT * FROM `table` WHERE `column` LIKE '%{$string}%'");
Или можете да използвате подготвено изявление за PDO , вместо втора стъпка (буквално бягство):
// Connect to database
$conn = new PDO('mysql:host=localhost;dbname=database', 'username', 'password');
// Your search string, for example, from POST field
$string = $_POST['column'];
// First step - LIKE escaping
$string = str_replace(['\\', '_', '%'], ['\\\\', '\\_', '\\%'], $string);
// Prepare a statement for execution
$statement = $conn->prepare("SELECT * FROM `table` WHERE `column` LIKE ?");
// Execute a prepared statement
$statement->execute(["%{$string}%"]);