来自MySQL Manual:
由于 MySQL 在字符串中使用 C 转义语法(例如,“\n”表示换行符),因此您必须将在 LIKE 字符串中使用的任何“\”加倍。例如,要搜索“\n”,请将其指定为“\\n”。搜索“\”,指定为“\\\\”;这是因为反斜杠被解析器剥离一次,并在进行模式匹配时再次剥离,留下一个反斜杠进行匹配。
因此,您应该分两步为LIKE 运算符转义字符串。
在 PHP 中可以是这样的:
// Your search string, for example, from POST field
$string = $_POST['column'];
// First step - LIKE escaping
$string = str_replace(array('\\', '_', '%'), array('\\\\', '\\_', '\\%'), $string);
// Second step - literal escaping
$string = mysql_real_escape_string($string);
// Result query
mysql_query("SELECT * FROM `table` WHERE `column` LIKE '%".$string."%'");
更新:
MySQL 扩展在 PHP 5.5.0 中被弃用,并在 PHP 7.0.0 中被删除。相反,应该使用 MySQLi 或 PDO_MySQL 扩展名。
使用 MySQLi
// Connect to database
$mysqli = new mysqli('localhost', 'username', 'password', 'database');
// Your search string, for example, from POST field
$string = $_POST['column'];
// First step - LIKE escaping
$string = str_replace(['\\', '_', '%'], ['\\\\', '\\_', '\\%'], $string);
// Second step - literal escaping
$string = $mysqli->real_escape_string($string);
// Result query
$mysqli->query("SELECT * FROM `table` WHERE `column` LIKE '%{$string}%'");
使用 PDO
// Connect to database
$conn = new PDO('mysql:host=localhost;dbname=database', 'username', 'password');
// Your search string, for example, from POST field
$string = $_POST['column'];
// First step - LIKE escaping
$string = str_replace(['\\', '_', '%'], ['\\\\', '\\_', '\\%'], $string);
// Second step - literal escaping
$string = $conn->quote($string);
// Result query
$conn->query("SELECT * FROM `table` WHERE `column` LIKE '%{$string}%'");
或者您可以使用 PDO 准备语句,而不是第二步(文字转义):
// Connect to database
$conn = new PDO('mysql:host=localhost;dbname=database', 'username', 'password');
// Your search string, for example, from POST field
$string = $_POST['column'];
// First step - LIKE escaping
$string = str_replace(['\\', '_', '%'], ['\\\\', '\\_', '\\%'], $string);
// Prepare a statement for execution
$statement = $conn->prepare("SELECT * FROM `table` WHERE `column` LIKE ?");
// Execute a prepared statement
$statement->execute(["%{$string}%"]);