This question already has answers here:
How to avoid code repetition with PHP SQL prepared statements?
(2 answers)
Closed 3 years ago.
There are similar questions here and some rather complex answers. I don't believe it should be that complicated. Perhaps it is. I am new to PDO. I have an array of key-value pairs. I need to update a record with those values. Is there a more intelligent way to do this?
$sql = "UPDATE Table SET ? = ? WHERE ID = ?";
$stmt = $pdo->prepare($sql);
foreach($QueryString as $Key=>$Value)
{
$stmt->execute($Key, $Value, $RecordID);
}
You can't bind a value to a column name, so your current code won't work at all. It would also be more efficient to form that query to make all the updates at once, for example:
$sql = "UPDATE Table SET";
$v = 0;
foreach ($QueryString as $Key=>$Value) {
if ($v++ > 0) $sql .= ',';
$sql .= " `$Key` = ?";
}
$sql .= " WHERE ID = ?";
$stmt = $pdo->prepare($sql);
$stmt->execute(array_merge(array_values($QueryString), array($RecordID)));
Note that this query is still vulnerable to injection if the keys of the $QueryString array come from an outside source. To avoid this issue, you should check that the columns actually exist, either using a manually specified whitelist e.g.
$colnames = ['col1', 'col2', 'col3'];
foreach ($QueryString as $Key=>$Value) {
if (!in_array($Key, $colnames)) {
// abort
}
if ($v++ > 0) $sql .= ',';
$sql .= " `$Key` = ?";
}
or by getting the list of the column names from the information_schema.columns table as described in this question and using the result of that query as your whitelist.
Related
This question already has answers here:
How can I bind an array of strings with a mysqli prepared statement?
(7 answers)
Closed 2 years ago.
I have to select some rows from the database using IN operator. I want to do it using prepared statement. This is my code:
<?php
$lastnames = array('braun', 'piorkowski', 'mason', 'nash');
$in_statement = '"' . implode('", "', $lastnames) . '"'; //"braun", "piorkowski", "mason", "nash"
$data_res = $_DB->prepare('SELECT `id`, `name`, `age` FROM `users` WHERE `lastname` IN (?)');
$data_res->bind_param('s', $in_statement);
$data_res->execute();
$result = $data_res->get_result();
while ($data = $result->fetch_array(MYSQLI_ASSOC)) {
...
}
?>
But returns nothing although all data exists in the database.And one more: if i pass $in_statement directly to query and execute it, the data will be returned. So the problem appears on preparing.I was looking for the question in Google but it wasn't' successful. What's wrong with my code?Thanks for the help!
I've recently found the solution for my question. Maybe it's not the best way to do it, but it works nice! Prove me wrong:)
<?php
$lastnames = array('braun', 'piorkowski', 'mason', 'nash');
$arParams = array();
foreach($lastnames as $key => $value) //recreate an array with parameters explicitly passing every parameter by reference
$arParams[] = &$lastnames[$key];
$count_params = count($arParams);
$int = str_repeat('i',$count_params); //add type for each variable (i,d,s,b); you can also determine type of the variable automatically (is_int, is_float, is_string) in loop, but i don't need it
array_unshift($arParams,$int);
$q = array_fill(0,$count_params,'?'); //form string of question marks for statement
$params = implode(',',$q);
$data_res = $_DB->prepare('SELECT `id`, `name`, `age` FROM `users` WHERE `lastname` IN ('.$params.')');
call_user_func_array(array($data_res, 'bind_param'), $arParams);
$data_res->execute();
$result = $data_res->get_result();
while ($data = $result->fetch_array(MYSQLI_ASSOC)) {
...
}
$result->free();
$data_res->close();
?>
I have a prepared mysqli query like this:
$query = $database->prepare("SELECT * FROM items WHERE inStock > ? AND size < ? AND name LIKE ?");
$query->bind_param('iis', $inStock, $size, $name);
$query->execute();
There are many various conditions in the WHERE clause which filter out the results.
The problem is, that those parameters are supplied in a search form and they aren't mandatory. For example, someone can search by using only the name, or only by using the size and name, or by using the size, name and inStock, all at the same time.
I need some way to adjust the query so I can supply only the parameters I want. The only solution I can think of, is to make a huge if..else structure where prepared queries with all combinations of the search options exist, but that is out of the question as there are thousands of combinations.
The only actual realistic solution I can think of, would be to use a not prepared query, where I glue the conditions together with from pieces like $query .= "AND name LIKE '%".escapestuff($_POST['name'])."%'"
But that is very ugly and I would very much like to stay with the prepared query system.
You can build up a list of the criteria and add into a list the bind values and types, here is a quick mock up which uses two of the fields you refer to...
$data = [];
$params = "";
$where = [];
if ( !empty($name)) {
$data[] = $name;
$params.="s";
$where[] = "name like ?";
}
if ( !empty($size)) {
$data[] = $size;
$params.="i";
$where[] = "size < ?";
}
$sql = "SELECT * FROM items";
if ( count($where) > 0 ){
$sql .= " where ". implode ( " and ", $where);
}
$query = $database->prepare($sql);
$query->bind_param($params, ...$data);
$query->execute();
Notice that the bind_param() uses the ... to allow you to pass an array instead of the individual fields.
This question already has answers here:
Can I bind an array to an IN() condition in a PDO query?
(23 answers)
Closed 1 year ago.
I'm reworking some PHP code to use PDO for the database access, but I'm running into a problem with a "WHERE... IN" query.
I'm trying to delete some things from a database, based on which items on a form are checked. The length and content of the list will vary, but for this example, imagine that it's this:
$idlist = '260,201,221,216,217,169,210,212,213';
Then the query looks like this:
$query = "DELETE from `foo` WHERE `id` IN (:idlist)";
$st = $db->prepare($query);
$st->execute(array(':idlist' => $idlist));
When I do this, only the first ID is deleted. (I assume it throws out the comma and everything after it.)
I've also tried making $idlist an array, but then it doesn't delete anything.
What's the proper way to use a list of items in a PDO prepared statement?
Since you can't mix Values (the Numbers) with control flow logic (the commas) with prepared statements you need one placeholder per Value.
$idlist = array('260','201','221','216','217','169','210','212','213');
$questionmarks = str_repeat("?,", count($idlist)-1) . "?";
$stmt = $dbh->prepare("DELETE FROM `foo` WHERE `id` IN ($questionmarks)");
and loop to bind the parameters.
This may be helpful too:
https://phpdelusions.net/pdo#in
$arr = [1,2,3];
$in = str_repeat('?,', count($arr) - 1) . '?';
$sql = "SELECT * FROM table WHERE column IN ($in)";
$stm = $db->prepare($sql);
$stm->execute($arr);
$data = $stm->fetchAll();
I would make $idlist and array, then simply loop through the array using foreach to delete the specific item.
$idlist = array('260','201','221','216','217','169','210','212','213');
$stmt = $dbh->prepare("DELETE FROM `foo` WHERE `id` = ?");
$stmt->bindParam(1, $id);
foreach ($idlist as $item){
$id = $item;
$stmt->execute();
}
This question already has answers here:
Insert/update helper function using PDO
(11 answers)
Closed 6 years ago.
i am upgrading one application from MySql to PDo, now the application is big so i don't want to write query every time, instead i am creating some insert, update, select etc. functions which accept dyanamic table name, with column and its value in array.
can any one sugest me how i can create this .
so far i have done is
$connection = new PDO("mysql:host=$host;dbname=$database;charset=utf8", "$user", "$password");
for select
$field = array("column1","column2");
$sql = "SELECT ".$fields." FROM ".$table." ".$whereSQL." ";
for inser
$col_val = array("column1"=>value, "column2"=>2);
$query = "insert into ".$table." (".$fields.") values (".$values.")";
$query = $connection->prepare($sql);
$query->execute();
i try to do all this but for an example in insert query i want to pass array as
$col_val = array("column1"=>value, "column2"=>2);
some code and function here which make PDO query easy and insert all column and value correctly.
i am also looking same way to perform Update query.
as you can see here tabel, column and value are totally dynamic which will be pass to function.
for this moment i am using all odd query with
$query = $connection->prepare($sql);
$query->execute();
Thank you in advance.
This is not a complete solution but that's the idea I think you could use to get closer to fix your issue.
$columns = array('column1', 'column2', 'column3')
$comma_separated = implode(",", $columns);
$columns_values = array(
'column1' => 'text1',
'column2' => 'text2',
'column3' => 'text3',
)
$values_query = "";
$index = 0
foreach ($columns as $column_name) {
if ($index == 0){
$values_query .= "'". $columns_values[$column_name]."'"
}else{
$values_query .= ", '". $columns_values[$column_name]
}
}
$query = "INSERT INTO table (". $comma_separated . ") VALUES (".$values_query.");";
Before executing the query you can use PDO to escape the string ($query) to avoid SQL injection
This question already has answers here:
How do I insert an array of values into different columns of a mysql table?
(3 answers)
Closed 7 years ago.
$rate=[10,20,40,50,70];
How do I insert the value in below query?
$sql="INSERT INTO rental(day_1,day_3,day_7,day_15,day_30)
VALUES('{$rate[0]}','{$rate[1]}', '{$rate[2]}','{$rate[3]}','{$rate[4]}')";
$stmt =connection::$pdo->prepare($sql);
$stmt->execute();
I tried below but it inserts same value in all column for a record and creates new record for each new value:
foreach($rate as $key->$value)
{
$sql="INSERT INTO rental(day_1,day_3,day_7,day_15,day_30)
VALUES('{$value}','{$value}', '{$value}','{$value}','{$value}')";
$stmt =connection::$pdo->prepare($sql);
$stmt->execute();
Edited based on answer given
public function rentalRate()
{
$rate = implode("','",$this->rate);
$sql = "INSERT INTO rental(day_1,day_3,day_7,day_15,day_30)VALUES('$rate')";
$stmt =connection::$pdo->prepare($sql);
$stmt->execute();
unset($rate);
}
Simply use implode and that's it
$rate = [10,20,40,50,70];
$rate = implode("','",$rate);
$sql = "INSERT INTO rental(day_1,day_3,day_7,day_15,day_30)VALUES('$rate')";
echo $sql;
Foreach is not useful in this case, because you want to integrate more than one array element in one query and you do not have a multidimensional array. Just use your first query:
$sql = "INSERT INTO rental(day_1,day_3,day_7,day_15,day_30)VALUES('{$rate[0]}','{$rate[1]}', '{$rate[2]}','{$rate[3]}','{$rate[4]}')";
And - if you really want to use foreach:
$sql = "INSERT INTO rental(day_1,day_3,day_7,day_15,day_30)VALUES(";
foreach($rate as $value)
$sql .= "'$value', ";
$sql = rtrim($sql, ", ") . ")";
just simple (note implode will only work with integers, without need to quoate)
$rate=[10,20,40,50,70];
$r_sql = '';
foreach($rate as $r) {
$r_sql.="'$r',";
}
$r_sql = trim($r_sql,',');
$sql="INSERT INTO rental(day_1,day_3,day_7,day_15,day_30)VALUES(".$r_sql.")";
Normally arrays are inserted into a different table and all tools are geared towards this. It is usually better not to fight the tools or it is likely to run into unforseen problems.
If we add a
table rental_day(id(int), rental_id(int,fk), rate(money))
Then for all the items in the array we just insert the item into one row in rental_day
later when we need the info back we can query for it like
select * from rental_day d inner join rental r on d.rental_id=r.id where r.id=something
and you will get all the info from rental_day and rental in one query.