According to: https://adodb.org/dokuwiki/doku.php?id=v5:userguide:portable_sql#prepare_execute
$stmt = $db->prepare("SELECT * FROM customers WHERE custid=? AND state=?");
$rs = $db->execute($stmt, array(999,'New York'));
How does one preview the SQL that ADOdb prepares without Executing, first? Namely:
"SELECT * FROM customers WHERE custid=999 AND state='New York'"
This class provides a solution:
https://github.com/jasny/dbquery-mysql/blob/master/src/Jasny/DB/MySQL/QuerySplitter.php
$stmt = "SELECT * FROM customers WHERE custid=? AND state=?";
$params = array(999,'New York');
$split = new QuerySplitter;
$query = $split->bind($stmt , $params);
die($query);
//SELECT * FROM customers WHERE custid=99 AND state='New York'
Related
This is my first query, i want to use the multiple itemID's extracted for another query.
$conn = new mysqli(server, dbuser, dbpw, db);
$email = $_GET['email'];
$querystring = "SELECT itemID from mycart where email = '".$email."' ";
$result = $conn->query($querystring);
$rs = $result->fetch_array(MYSQLI_ASSOC);
The second query that need
$query = "SELECT * from CatalogueItems where itemID = '".$itemID."'";
How do i make these 2 query run?
Firstly, Your code is open to SQL injection related attacks. Please learn to use Prepared Statements
Now, from a query point of view, you can rather utilize JOIN to make this into a single query:
SELECT ci.*
FROM CatalogueItems AS ci
JOIN mycart AS mc ON mc.itemID = ci.itemID
WHERE mc.email = $email /* $email is the input filter for email */
PHP code utilizing Prepared Statements of MySQLi library would look as follows:
$conn = new mysqli(server, dbuser, dbpw, db);
$email = $_GET['email'];
$querystring = "SELECT ci.*
FROM CatalogueItems AS ci
JOIN mycart AS mc ON mc.itemID = ci.itemID
WHERE mc.email = ?"; // ? is the placeholder for email input
// Prepare the statement
$stmt = $conn->prepare($querystring);
// Bind the input parameters
$stmt->bind_param('s', $email); // 's' represents string input type for email
// execute the query
$stmt->execute();
// fetch the results
$result = $stmt->get_result();
$rs = $result->fetch_array(MYSQLI_ASSOC);
// Eventually dont forget to close the statement
// Unless you have a similar query to be executed, for eg, inside a loop
$stmt->close();
Refer to the first query as a subquery in the second:
$query = "SELECT * from CatalogueItems WHERE itemID IN ";
$query .= "(" . $querystring . ")";
This is preferable to your current approach, because we only need to make one single trip to the database.
Note that you should ideally be using prepared statements here. So your first query might look like:
$stmt = $conn->prepare("SELECT itemID from mycart where email = ?");
$stmt->bind_param("s", $email);
This creates a variable out of your result
$query = "SELECT itemID FROM mycart WHERE email = :email";
$stm = $conn->prepare($query);
$stm->bindParam(':email', $email, PDO::PARAM_STR, 20);
$stm->execute();
$result = $stm->fetchAll(PDO::FETCH_OBJ);
foreach ($result as $pers) {
$itemID = $pers->itemID;
}
Here I want to add another variable using AND.
$query = $db->prepare("SELECT *
FROM messages WHERE Subject_Code = ' ".$_SESSION['sub1']." ' ");
I want to add Week = ' ".$_SESSION["weekS1"]." ' to this query using AND. How can I do it?
PHP PDO supports positional (?) and named (:email) placeholders, the latter always begins from a colon and can be written using letters, digits and underscores only. Also note that no quotes have to be ever used around placeholders.
Eg:
The following becomes
$sql = "SELECT * FROM users WHERE email = '$email' AND status='$status'";
To
$sql = 'SELECT * FROM users WHERE email = ? AND status=?';
OR
$sql = 'SELECT * FROM users WHERE email = :email AND status=:status';
With placeholders, you have to prepare it, using the PDO::prepare() method
To get the query executed, you must run execute() method of this object, passing variables in it, in the form of array
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = ? AND status=?');
$stmt->execute([$email, $status]);
$user = $stmt->fetch();
// or
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email AND status=:status');
$stmt->execute(['email' => $email, 'status' => $status]);
$user = $stmt->fetch();
Very Good Reference for full tutorial : https://phpdelusions.net/pdo
If you are using PHP5+, You are supposed to bind your parameters outside of the query string when executing your statement.
Example:
$query = $db->prepare('SELECT * FROM messages WHERE Subject_Code = :subj AND Week = :week')
$query->execute(array(
':subj' => $_SESSION['sub1'],
':week' => $_SESSION["weekS1"],
));
i'm trying to retrieve info from my database using PDO.
The code i'm using is
$input = $_GET['input'];
$inputvalue = $_GET['inputvalue'];
$db = DB::get_instance();
$query = $db->prepare('SELECT * FROM hwidex7 WHERE :input=:inputvalue');
$query->bindParam(':inputvalue', $inputvalue);
$query->bindParam(':input', $input);
$query->execute();
You can't bind table or column as parameter in PDO
You can build your query as
$query = $db->prepare("SELECT * FROM hwidex7 WHERE `$input` =:inputvalue");
$query->bindParam(':inputvalue', $inputvalue);
$query->execute();
$result = $query->fetch(PDO::FETCH_ASSOC);
print_r($result);
Both ways are wrong.
SELECT * FROM hwidex7 WHERE `HWID`='3087793810'
Just try above query.
You will get Idea for same.
Lets say I have the following variable:
$where = "where `hats`='red'";
I want to inject this variable into a PDO statement. What is the proper way of doing this?
Is it like so?:
$sql = "select * from `clothing` :where";
$stm = $this->app->db->prepare($sql);
$stm->bindParam(':where', $where);
$stm->execute();
Any help would be greatly appreciated.
You can only bind values, not keywords, object names or syntactic elements. E.g., if you're always querying according to hats, you could bind the 'red' value:
$color = 'red';
$sql = "select * from `clothing` where hats = :color";
$stm = $this->app->db->prepare($sql);
$stm->bindParam(':color', $color);
$stm->execute();
If your where clause is really that dynamic, you'd have to resort to string manipulation (and face the risk of SQL injection, unfortunately):
$where = "where `hats`='red'";
$sql = "select * from `clothing` $where";
$stm = $this->app->db->prepare($sql);
$stm->execute();
// create a new PDO object by name $PDO in your connection file
In your function
function nameOfFunction($var,$value)
{
global $PDO;
$st=$PDO->prepare('SELECT * from clothing WHERE ? = ?');
$rs=$st->execute(array($var,$val));
return $st->fetchAll();
}
I hope it will work. It will return the array, Traverse it as you like
$checkUser1 = "SELECT * FROM users WHERE username='$username'";
$checkUser = $handler->prepare($checkUser1);
$checkUser->execute(array(':username' => $username));
$cU = ($checkUser->rowCount());
This won't work, I'm not really sure how I should fix it.
It's a PDO prepare statement.
This
$checkUser1 = "SELECT * FROM users WHERE username='$username'";
should be
$checkUser1 = "SELECT * FROM users WHERE username=:username";
This way you can bind the variable to the parameter like you are trying in your execute array.