I am using a var inside a sql statement, which checks on a field which could have many tags in eg
adtags="home, about, article"
$queryVar = 'home'
$bannerName = $wpdb->get_results($wpdb->prepare("select pic.filename
, pic.pid
, fv1.field_value as MovieName
, fv2.field_value as Adlink
from ngg_pictures pic
inner join
nggcf_fields f1
on f1.field_name = 'adtags'
inner join
nggcf_field_values as fv1
on fv1.pid = pic.pid
and fv1.fid = f1.id
inner join
nggcf_fields f2
on f2.field_name = 'adlink'
inner join
nggcf_field_values as fv2
on fv2.pid = pic.pid
and fv2.fid = f2.id
where fv1.field_value like '%s' ",$queryVar));
note (fv1.field_value is pulling adtags)
I can get this to work where I can find one instance if adtags only contains one tag, and i removed the queryvar methid – but what I would like to do is search fv1.field_value for the occurance of $queryVar (home or anything thats passed)
I think in order to do this I need to use a wildcard, such as %home%
where fv1.field_value like '%home%'
but how do I achieve this when the queryvar is referenced as %s, can I escape this out somehow ?
Thanks
Answer 1
Would help to see the whole line of code.
Just put the variable in the string.
Before that you could do something to avoid possible query injection.
Take only the first word.
Take only letters.
Answer 2
Do this before the query:
Answer 3
Escape with %.