This question already has an answer here:
Correct way to use LIKE '%{$var}%' with prepared statements?
(1 answer)
Closed 1 year ago.
I should execute this method,
but I don't know how pass %research value as LIKE parameter in bind:
public function researchElements($research) {
$stmt = $this->db->prepare("SELECT * FROM product WHERE product_name LIKE "'%?%'"");
$stmt->bind_param('s', $research);
$stmt->execute();
$result = $stmt->get_result();
$result = $result->fetch_all(MYSQLI_ASSOC);
return $result;
}
At least you can use in your query CONCAT function like next:
$stmt = $this->db->prepare("SELECT * FROM product WHERE product_name LIKE CONCAT('%',?,'%')");
Note: if $research variable gets value '', then query will return all rows from the table.
Related
This question already has answers here:
Single result from database using mysqli
(6 answers)
Closed 5 months ago.
I am trying to get a value from column "odznak" in "users" tab for user "user01" and store it in variable $odznak (for searching in another tab.
$stmt = $conn->prepare("SELECT odznak FROM users WHERE username = 'user01'");
$stmt->execute();
$result = $stmt;
$odznak;
You need to fetch the data (say into an associative array)
On the other hand, as a good practice, please use parameterized prepared statement in your select query
So, change to:
$stmt = $conn->prepare("SELECT odznak FROM users WHERE username = ?");
$stmt->bind_param("s", 'user01');
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_assoc();
$odznak=$row["odznak"];
Now, $odznak is the retrieved data
This question already has answers here:
I have an array of integers, how do I use each one in a mysql query (in php)? [duplicate]
(5 answers)
mySQL bind_param with IN(?) [duplicate]
(5 answers)
Closed 3 years ago.
I have this mysql query in php:
$sql2 = "SELECT id, nazev, poradi FROM system WHERE id IN($idIs) ORDER BY poradi";
$result2 = mysqli_query($conn, $sql2);
The variable $idIs is a string '2,3' (two ids of system).
When I try to fill array $nazevSystemu, there are two values (beacause of the two ids from $idIs)
$i = 0;
$nazevSystemu = [];
while($row2 = mysqli_fetch_assoc($result2)) {
$nazevSystemu[$i] = $row2['nazev'];
echo $row2['nazev'];
$i++;
}
Result of echo $row2['nazev'];:
Value1Value2
I want to make it safe, avert SQl inj., so I use prepared statement like this (instead of the first two rows of code on this page):
$stmt2 = $conn->prepare("SELECT id, nazev, poradi FROM system WHERE id IN(?) ORDER BY poradi");
$stmt2->bind_param("s", $idIs);
$stmt2->execute();
$result2 = $stmt2->get_result();
But now I get only this as result of echo $row2['nazev']; - just one value:
Value1
What did I do wrong in prepared statement?
You have to provide all id's as individual parameters.
So instead of IN(?) you have to write IN(?,?,?) and parse each parameter individual.
Code example:
$ids = explode(',', $idIs);
$stmt2 = $conn->prepare("SELECT id, nazev, poradi FROM system WHERE id IN(".trim(str_repeat('?,', count($ids)), ',').") ORDER BY poradi");
foreach ($ids as $id) {
$stmt2->bind_param("i", $id);
}
$stmt2->execute();
$result2 = $stmt2->get_result();
This question already has answers here:
How do I create a PDO parameterized query with a LIKE statement?
(9 answers)
PDO Parameterized Query - Reuse named placeholders?
(5 answers)
Closed 4 years ago.
Following prepared statement returns no result if I try like search('samsung').
public function search($searchFor) {
try{
//connect to db
$pdo = $this->_db->connect();
//set up SQL and bind parameters
$sql = "select * from item where itemName like '%:searchfor%' or description like '%:searchfor%'";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(':searchfor', $searchFor, PDO::PARAM_STR);
//execute SQL
$rows = $this->_db->executeSQL($stmt);
return $rows;
}
catch (PDOException $e)
{
throw $e;
}
}
$rows return an empty array. But if I try
select * from item where itemName like '%samsung%' or description like '%samsung%;
it returns a matched item and works as expected.
I found
$sql = "select * from item where itemName like :searchfor or description like :searchfor";
$stmt = $pdo->prepare($sql);
$stmt->bindValue(":searchfor", "%$searchFor%");
works. I had to use bindValue instead. This was a totally different issue in that the SQL was correct but I used bindParam instead of bindValue (which is the correct method), hence this is not a duplicate.
did you try to use a placeholder for the whole part of the statement?
$sql = "select * from item where itemName like :searchfor or description like :searchfor";
$stmt = $pdo->prepare($sql);
$search_string = "'%" . $searchFor . "'%";
$stmt->bindParam(':searchfor', $search_string, PDO::PARAM_STR);
Altenatively without named params:
$sql = "select * from item where itemName like ? or description like ?";
$stmt = $pdo->prepare($sql);
$search_string = "'%" . $searchFor . "'%";
$stmt->bindParam('ss', $search_string, $search_string);
As far as I remember the manual, like need to thave the whole string in the variable, not only the content to look after.
Aug
The prepared statement's placeholder tells php to treat the specific value that is passed into the placeholder, as a string. Instead of this:
$sql = "select * from item where itemName like '%:searchfor%' or
description like '%:searchfor%'";
Do this:
$sql = "select * from item where itemName like :searchfor or
description like :searchfor";
Then bind whole values into the placeholders:
$stmt->bindParam(':searchfor', '%yourkeyword%', PDO::PARAM_STR);
This question already has answers here:
Can I parameterize the table name in a prepared statement? [duplicate]
(2 answers)
Closed 5 years ago.
It is working
$result = $conn->prepare("SELECT * FROM questions");
$result->execute();
But this not
$result = $conn->prepare("SELECT * FROM (?)");
$result -> bind_param("s", $name_tb);
$name_tb = "questions";
$result->execute();
The error is:
Call to a member function bind_param() on boolean
This won't work.
It is actually not possible to bind table names. You can only bind query parameters. What you can do is something like:
$table = "TABLENAME";
query($table);
function query($table) {
$sql = "SELECT * FROM $table";
}
For sure you have to edit the content of the function that it'll work. Its just to show you an example. But keep in mind: No tablenames. Only parameters with bind.
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 5 years ago.
I have this code to get a COUNT DISTINCT data:
$param = 'email';
$stmt = $conn->stmt_init();
$stmt = $conn->prepare("SELECT COUNT(DISTINCT(?)) FROM contatos");
$stmt->bind_param('s',$param);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($count);
while ($stmt->fetch()) {
echo $count;
}
But echo $count always returns 1, but i have dozens of records...
What is wrong?
Thanks
Binding is not allowed for column names (or table names). Your query is not executing correctly. You need to directly pass the name of the field.
$stmt = $conn->prepare("SELECT COUNT(DISTINCT(email)) FROM contatos");