I'm getting this error:
Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement
code:
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%?%'");
$stmt->bind_param('s', $_GET['search']);
$stmt->execute();
$result = $stmt->get_result();
I'm trying to get the user input into the prepared statement.
This code works fine but is insecure against SQL injections:
$result = $sql->query("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%" . $_GET['search'] . "%'");
When using LIKE
in a prepared statement, it's a little bit different. You should add the %
to the parameter before binding it to the statement.
Try something like below:
$param = "%{$_GET['search']}%";
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE ?");
$stmt->bind_param('s', $param);
$stmt->execute();
$result = $stmt->get_result();