This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Can I use a PDO prepared statement to bind an identifier (a table or field name) or a syntax keyword?
(1 answer)
Closed 7 months ago.
My sql request doesn't work if I use a function paramater to choice the column.
My goal is to have one function for all request.
Thanks in advance.
$dbh = Connection::getPdo();
try {
$sth = $dbh->prepare('SELECT users_id, nom, prenom, password, role, email, users_login FROM users where ? = ? ');
$value="'".$value."'";
$sth->execute(array($parameter,$value));
$data = $sth->fetch(PDO::FETCH_ASSOC);
$user = new Users();
$user->setUserFromArray($data);
} catch (PDOException $e) {
die("ERROR: Could not able to execute query " . $e->getMessage());
}
return $user;
}
Related
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 5 years ago.
I have this code to get a COUNT DISTINCT data:
$param = 'email';
$stmt = $conn->stmt_init();
$stmt = $conn->prepare("SELECT COUNT(DISTINCT(?)) FROM contatos");
$stmt->bind_param('s',$param);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($count);
while ($stmt->fetch()) {
echo $count;
}
But echo $count always returns 1, but i have dozens of records...
What is wrong?
Thanks
Binding is not allowed for column names (or table names). Your query is not executing correctly. You need to directly pass the name of the field.
$stmt = $conn->prepare("SELECT COUNT(DISTINCT(email)) FROM contatos");
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 8 years ago.
There are many hints for this topic, I tried this: How to create a secure mysql prepared statement in php?
and many others, but nothing is working. If I want to select something from the database and query without parameters, it's ok. But if I want data for a column and table with parameters, it doesn't work, it returns empty array. Any hints?
There is my code:
function getDataByColumn($column, $table) {
try {
$connection = new PDO("mysql:dbname=vydap;charset=utf8;host=127.0.0.1", "...","...");
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}
$query = "SELECT ? FROM ?";
// $query = "SELECT :column FROM :table";
$stmt = $connection->prepare($query);
// $stmt->bindParam(':column', $column);
// $stmt->bindParam(':table', $table);
$stmt->bindParam(1, $column);
$stmt->bindParam(2, $table);
$stmt->execute();
$result = $stmt->fetchAll();
var_dump($result);
}
This is flat-out wrong:
$query = "SELECT ? FROM ?";
placeholders can represent only VALUES. You cannot use placeholders for field/table/db names - those aren't values - they're idenfifiers.
SELECT foo FROM bar WHERE foo = 'baz'
a b c d e f g h
a- sql keyword
b- field identifier
c- sql keyword
d- table identifier
e- sql keyword
f- field identifier
g- operator
h- value
Of that entire query, only the h portion is a candidate for using a placeholder.
You can't use PDO placeholders on table or columns names. Those are only used for values:
$query = "SELECT * FROM yourTable WHERE someCol = ?";
$stmt->bindParam(1, $value);
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
I currently use mysql_real_escape_string to escape variable in mysql query. I know how to use bindValue, but I have a question about protection when I'm trying to insert table name from variable. For example
$tablename = mysql_real_escape_string($name_from_form);
$get = mysql_query("SELECT * FROM ".$tablename." WHERE keyword='something'");
Can anybody help me with an example of how to do PDO prepared statements which will do the same as above?
You won't be able to escape the table name (I hope that $tablename isn't coming from an outside source - If it is, you will need to whitelist what table names are allowed). In PDO, your code could look something like:
$allowedTables = array('posts', 'users');
if(!in_array($tablename, $allowedTables)){
throw new Exception('Invalid table name: ' . $tablename);
}
$keyword = 'something';
$stmt = $dbh->prepare("SELECT * FROM " . $tablename . " WHERE keyword = :keyword");
$stmt->bindParam(':keyword', $keyword);
$stmt->execute();
This question already has answers here:
Can I bind an array to an IN() condition in a PDO query?
(23 answers)
Reference — frequently asked questions about PDO
(3 answers)
Closed 8 years ago.
function delete_group($db) {
$ids = Parameters::get('ids');
$ids = implode(',', $ids); // now a string like '5,6,7'.
add_to_log($ids);
try {
$stmt = $db->prepare("DELETE FROM mytable WHERE id IN (:ids)");
$stmt->bindParam(':ids', $ids, PDO::PARAM_STR);
$stmt->execute();
response('success', 'success', NULL);
}
catch (PDOException $e) {
response('error', 'Delete group failed.', NULL);
}
}
This code doesn't work: only the first row is deleted. But if I do
$stmt = $db->prepare("DELETE FROM mytable WHERE id IN ($ids)");
instead (just insert the string), it works, though the code has the SQL injection security issue. How to make it work and keep secured?
$ids = Parameters::get('ids');
$ids = array_map('intval', $ids);
$ids = implode(',', $ids);
Now you don't have to worry about injection.
This question already has answers here:
Table name as parameter using PDO/MySQL prepared statement [duplicate]
(2 answers)
Closed 8 years ago.
$dbh = new PDO('mysql:host=' . $_POST['db_host'], $_POST['db_user'], $_POST['db_user_password']);
$sql = 'CREATE DATABASE :db_name';
$sth = $dbh->prepare($sql);
$sth->bindParam(':db_name', $_POST['db_name']);
var_dump($sth->execute());
It's allways show false. But if directly specify db_name, like this:
$sql = 'CREATE DATABASE database';
$sth = $dbh->prepare($sql);
$sth->execute();
It will work. What I'm doing wrong?
You can only bind data (column values) in parametrized query, not column name and table name. Also, in your code you tried to parametrize connection initialization which I think not correct.
You can alternatively depend on white list of db names:
$databases = array('dbone', 'dbtwo');
then check
if(in_array($_POST['db_name'], $databases) ){
$dbname = $_POST['db_name'];
}