This question already has answers here:
MySQLi Bind Param with an array for IN [duplicate]
(2 answers)
Closed 4 years ago.
I have this select:
$stmt = $mysqli->prepare("select following from following where user =? and block=0");
$stmt->bind_param('i', $user);
$stmt->execute();
$stmt->bind_result($followers);
$stmt->fetch();
$stmt->close();
I'd like to use $followers in another mysql conection:
select... from ... where (p.user in (?))
in this ? I'd like to place the $followers variable in mysql in format. (1,5,7,2).
Any ideas how to convert the bind_result $followers into this mysql in format?
One way to accomplish this would be to create another string variable and append the result of $followers in a while loop.
I typically work in procedural style, and I am assuming that your statement returns multiple rows into $followers:
$sql_in_string = ''; // initialize string variable as blank
while (mysqli_stmt_fetch($stmt)){
$sql_in_string = $sql_in_string . $followers . "," ; // append value + comma
}
$sql_in_string = rtrim($sql_in_string,","); // remove the final comma
At this point, $sql_in_string should have your values as "1,2,3" format and then you can bind that parameter to your next query.
This question already has answers here:
How can I bind an array of strings with a mysqli prepared statement?
(7 answers)
Closed 2 years ago.
I've been trying to figure this out.
$insertSql = 'INSERT INTO table (id,date,name,numFarts) VALUES (?,?,?,?)';
$values = (1,'0000-00-00 00:00:00','Bob',5);
$bind_param_str = ('issi');
if ($stmt = $db->prepare ($insertSql)) { // $inserSql is a pre-writted sql insert
$stmt->bind_param($bind_param_str,$values);
$stmt->execute();
$stmt->close();
}
This doesn't work, but I can't think of any other way to pass $values into bind_param()
Any ideas?
For any function that you need to pass an array as the argument/s you can use call_user_func_array.
In this example:
array_unshift($values,$bind_param_str);
call_user_func_array(array($stmt,'bind_param'),$values);
Don't ask me why you need array($stmt,'bind_param') instead of $stmt->bind_param. Has something to do with the syntax of -> I'm sure.
The clean solution (PHP5.6+) :
$stmt->bind_param($bind_param_str, ...$values);
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I receive the following error:
Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement
I am having trouble binding and executing the prepare statement. The connection to the database is succesfully established and it does manage to insert it into the database with the initial value of ?
Below is the code:
// Set up the query
$insert = "INSERT INTO record_user (ip,country,address,stack,skills,employment_type,city_selection,landing_time,submission_time,time_spent)
VALUES ('?','?','?','?','?','?','?','?','?','?')";
// Prepare the statement
$insert = $con->prepare($insert);
// Bind the statement
$insert->bind_param("ssssssssss", $user_ip, $country, $location, $stack, $skills, $employment, $city, $landing_time, $submission_time, $time_spent);
// Execute the statement
$insert->execute();
// Close the statement connection
$insert->close();
// Close the database connection
$con->close();
Lose the quotes around ? and use 10 params instead of 11
Instead of this:
$insert = "INSERT INTO record_user (ip,country,address,stack,skills,employment_type,city_selection,landing_time,submission_time,time_spent)
VALUES ('?','?','?','?','?','?','?','?','?','?')";
$insert = $con->prepare($insert);
$insert->bind_param("ssssssssss", $user_ip, $country, $location, $stack, $skills, $employment, $city, $landing_time, $submission_time, $time_spent);
Try this:
$insert = "INSERT INTO record_user (ip,country,address,stack,skills,employment_type,city_selection,landing_time,submission_time,time_spent)
VALUES (?,?,?,?,?,?,?,?,?,?)";
$insert = $con->prepare($insert);
$insert->bind_param("ssssssssss", $user_ip, $country, $location, $stack, $skills, $employment, $city, $landing_time, $submission_time, $time_spent);
Your prepared query doesn't have any placeholders. You are inserting 10 literal ? characters into your database.
You need to lose the quotes around the ?s:
$insert = "INSERT INTO record_user (ip,country,address,stack,skills,employment_type,city_selection,landing_time,submission_time,time_spent)
VALUES (?,?,?,?,?,?,?,?,?,?)";
This question already has an answer here:
Using PDO without binding
(1 answer)
Closed 9 years ago.
I'm trying to make my SQL calls more secure and I encounter 2 ways of making prepared statements, I was wondering if there is any difference between them.
This is the Query:
$query =
"INSERT INTO companies
VALUES(
NULL,
:name,
:assignation,
:priority
)";
1)
$statement = $pdoDbInstance->prepare($query);
$statement->bindValue(':name', $name);
$statement->bindValue(':assignation', $assignation);
$statement->bindValue(':priority', $priority);
$result = $statement->execute();
2)
$statement = $pdoDbInstance->prepare($query);
$result = $statement->execute(array(":name" => $name, ":assignation" => $assignation, ":priority" => $priority));
Is there any significant difference between them????
According to https://stackoverflow.com/a/12392590/2124401, it is a matter of whether you need to enforce the datatype. Execute always passes strings, so if you want something different or a specific datatype, use bindValue or bindParam. Otherwise, they are just a matter of preference.
This question already has answers here:
How can I pass an array of PDO parameters yet still specify their types?
(3 answers)
Closed 7 years ago.
I'm having an issue binding the LIMIT part of an SQL query. This is because the query is being passed as a string. I've seen another Q here that deals with binding parameters, nothing that deals with Named Placeholders in an array.
Here's my code:
public function getLatestWork($numberOfSlides, $type = 0) {
$params = array();
$params["numberOfSlides"] = (int) trim($numberOfSlides);
$params["type"] = $type;
$STH = $this->_db->prepare("SELECT slideID
FROM slides
WHERE visible = 'true'
AND type = :type
ORDER BY order
LIMIT :numberOfSlides;");
$STH->execute($params);
$result = $STH->fetchAll(PDO::FETCH_COLUMN);
return $result;
}
The error I'm getting is: Syntax error or access violation near ''20'' (20 is the value of $numberOfSlides).
How can I fix this?
The problem is that execute() quotes the numbers and treats as strings:
From the manual - An array of values with as many elements as there are bound parameters in the SQL statement being executed. All values are treated as PDO::PARAM_STR.
<?php
public function getLatestWork($numberOfSlides=10, $type=0) {
$numberOfSlides = intval(trim($numberOfSlides));
$STH = $this->_db->prepare("SELECT slideID
FROM slides
WHERE visible = 'true'
AND type = :type
ORDER BY order
LIMIT :numberOfSlides;");
$STH->bindParam(':numberOfSlides', $numberOfSlides, PDO::PARAM_INT);
$STH->bindParam(':type', $type, PDO::PARAM_INT);
$STH->execute();
$result = $STH->fetchAll(PDO::FETCH_COLUMN);
return $result;
}
?>
I'd suggest binding the params and forcing their type:
$STH->bindParam(':numberOfSlides', $numberOfSlides, PDO::PARAM_INT);
$STH->execute();