Doctrine - how to use LIKE with dbal prepared statements

@edentHowTo php Symfony · 1 comment · 150 words · read ~306 times.

I'm just getting started with Symfony, so I'm blogging some of the weird things I'm finding.

I want to use Doctrine dbal to search a database for a partial match. For example searching for "smith" should find "blacksmith" and "smithy".

I have a prepared statement like this:

 PHP$queryBuilder = $conn->createQueryBuilder();

$queryBuilder

    ->select("whatever")

    ->from("table")

    ->where("name LIKE '%?%'")

    ->setParameter(0, $query);

But I get the error:

The number of variables must match the number of parameters in the prepared statement.

The solution is annoyingly simple. The escaping has to be in the parameter itself. Like this:

 PHP...

    ->where("name LIKE ?")

    ->setParameter(0, "%{$query}%");

I hope that's helpful to someone - even if that someone is me in a few years' time!

One thought on “Doctrine - how to use LIKE with dbal prepared statements”

2023-05-02 05:01

Hayden Schiff said on mastodon.online:

@Edent To help provide a sense of intuition for why it works this way: In the first code snippet, you're putting data directly into your query, which is what DBALs are designed to prevent. You always want your data strictly segregated from your query, to avoid SQL injection vulnerabilities.
Reply | Reply to original comment on mastodon.online
More comments on Mastodon.

Share this post on…

One thought on “Doctrine - how to use LIKE with dbal prepared statements”

Hayden Schiff said on mastodon.online:

More comments on Mastodon.

What are your reckons? Cancel reply