Prepared statements do escape the \
properly. Otherwise they wouldn’t create properly formatted string literals, which is the main purpose of prepared statements.
Besides that, %
and _
are only special characters to the LIKE
comparison but not to strings in general. So there is no need to escape them in general. If you need to escape them for a LIKE
comparison, do it explicitly:
$what = addcslashes($what, '%_');
Besides that, LIKE
does also support the use of an escape character other than \
:
mysql> SELECT 'David_' LIKE 'David|_' ESCAPE '|';
-> 1