Is there any standard or best way in PHP PDO database class to change the operator from "=" to "IS" when I don't know if the value I'm going to pass is NULL or not. Here is an example of what I mean.
I have two variables. I want a count of the results that match. Sometimes one or both of the variables can be NULL. But MySQL requires a different operator to find NULL (IS NULL).
I'm currently just creating another variable for the operator and when I build the query I inject it in as so:
// First create a variable "=" or "is" depending on whether var1 and var2 are NULL or not
if($var1 == NULL) $var1_operator = "IS";
else $var1_operator = "=";
if($var2 == NULL) $var2_operator = "IS";
else $var2_operator = "=";
// Build the query
$query = 'SELECT count(*) as count FROM table
WHERE var1 '.$var1_operator.' :var1 AND var2 '.$var2_operator.' :var2';
// Conduct the query
$prepare = $db_connection->prepare($query);
$prepare->bindValue(':var1', $var1, PDO::PARAM_STR);
$prepare->bindValue(':var2', $var2, PDO::PARAM_STR);
$prepare->execute();
$results = $prepare->fetch();
Is there another way to do this? This works to bindValue using PARAM_STR even when the value is NULL and not really a string. The query returns the correct value count. Just not sure if there is better practice for doing it.
As you are using mysql, you can use its spaceship operator, <=>:
$query = 'SELECT count(*) FROM table WHERE var1 <=> ? AND var2 <=> ?';
$prepare = $db_connection->prepare($query);
$prepare->execute([$var1, $var2]);
$count = $prepare->fetchColumn();
But in general, if you need variable operators or other query parts, such a conditional query building is the only way.
A more generalized solution can be found in my article How to create a WHERE clause for PDO dynamically:
// always initialize a variable before use!
$conditions = [];
$parameters = [];
// conditional statements
if (!empty($_GET['name']))
{
// here we are using LIKE with wildcard search
// use it ONLY if really need it
$conditions[] = 'name LIKE ?';
$parameters[] = '%'.$_GET['name']."%";
}
if (!empty($_GET['sex']))
{
// here we are using equality
$conditions[] = 'sex = ?';
$parameters[] = $_GET['sex'];
}
if (!empty($_GET['car']))
{
// here we are using not equality
$conditions[] = 'car != ?';
$parameters[] = $_GET['car'];
}
// the main query
$sql = "SELECT * FROM users";
// a smart code to add all conditions, if any
if ($conditions)
{
$sql .= " WHERE ".implode(" AND ", $conditions);
}
// the usual prepare/execute/fetch routine
$stmt = $pdo->prepare($sql);
$stmt->execute($parameters);
$data = $stmt->fetchAll();
so in these conditions above whatever logic could be implemented, including operator change or anything.
Related
I'm trying to create an advanced search in php. The inputs are not required, users can decide if they want to search for a manufacturer or just set the minimum price, etc. I'm trying to save the "s" and "i" for the bind_param in an array, and the variables in another array, then implode them in the bind_param part.
This is where I got the problem. The $params implode works fine, but when I'm trying to implode the $vars array, I get the error message that says "Only variables should be passed by reference".
It's because if I push a variable to my array, it stores it's value and not the variable itself. I've tried to push them as strings, like '$example', but in this case, when I implode it, got the same message because it's a string.
So, how should I store them in the array to be able to use them in the bind_param?
In this example I show only 2 inputs, but ofc I have a lot more.
if ($_SERVER['REQUEST_METHOD'] == 'GET' && isset($_GET['search_button'])) {
$params[] = "i";
$vars[] = '$status';
$sql_search = 'SELECT m.*, u.premium, u.avatar FROM motorcycles m INNER JOIN users u ON u.id = m.userid WHERE status = ?';
if (isset($_GET['manufacturer_search']) && $_GET['manufacturer_search'] !== "") {
$manufacturer_search = $_GET['manufacturer_search'];
$sql_search .= " AND manufacturer LIKE ?";
array_push($params, 's');
array_push($vars, '$manufacturer_search');
}
if (isset($_GET['min_price']) && $_GET['min_price'] !== "") {
$min_price = $_GET['min_price'];
$sql_search .= " AND price >= ?";
array_push($params, 'i');
array_push($vars, '$min_price');
}
$sql_search .= " ORDER BY u.premium DESC LIMIT ?, ?";
array_push($params, 'ii');
array_push($vars, '$this_page_first_result', '$results_per_page');
$stmt_search = $link->prepare($sql_search);
$stmt_search->bind_param(implode("", $params), implode(",", $vars));
$stmt_search->execute();
$result = $stmt_search->get_result();
}
You should provide the variables you want separately as the last parameter of bind_params, what you are doing is creating a string of all your variables and passing that.
Change
$stmt_search->bind_param(implode("", $params), implode(",", $vars));
To
$stmt_search->bind_param(implode("", $params), ...$vars );
And PHP will take all entries inside your $vars array and pass them as separate parameters of the function.
For more information on this see the Documentation of bind_param, PHP's introduction of the splat operator here and here and some extra information on stack overflow.
Sorry if this is a duplicate, I have tried searching but cannot seem to find an answer. I may just have the piece of code in the wrong place.
I have counted the duplicate values input from various select boxes, which were sent over via $_GET. Using these duplicates, if more than (whatever the set amount is) then it will run through a mysql query. This is all working fine.
The issue is that I need to remove duplicates that are returned from the mysql query. Here is my code:
if ($countGearSelected >= 2) {
$gearSets = array_keys(array_filter(array_count_values($_GET['gearPiece']), function($v) {
return $v > 1;
}));
foreach ($gearSets as $gearSetKey => $gearSetValue) {
$result = mysqli_query($con,"SELECT twoPieceBonus FROM sets WHERE setName='".$gearSetValue."';");
while($row = mysqli_fetch_array($result)){
$twoPieceBonus .= urldecode($row['twoPieceBonus']).'</br></br>';
}
$twoPieceBonus = implode(',',array_unique(explode(',', $twoPieceBonus)));
$twoSelected = substr($twoPieceBonus, 0, -10);
}
}else{
$twoSelected = '';
}
As you can see, I have tried the array_unique option on various other posts on SE but it doesn't appear to be working. I think I may be using it incorrectly?
Using DISTINCT doesn't work in the mysql query, as a few of the "sets" that are being queried have the same result (if that makes sense?).
Any help is very much appreciated.
First: your code is vulnerable to SQL injection: use prepared statements to avoid this.
Secondly, it is often a bad idea to execute a query in each iteration of a loop. And in this case it can be avoided. Instead of an equality comparison in your where clause, you could use the in operator and compare to all gear sets in one go.
This will also solve the matter of getting distinct values. With only one query executing, you can use distinct now.
Here is how the code would look like. I could not test this, but I expect mistakes (if any) can be easily fixed:
$twoSelected = '';
if ($countGearSelected >= 2) {
$gearSets = array_keys(array_filter(
array_count_values($_GET['gearPiece']), function($v) {
return $v > 1;
}
));
// Create comma separated list of question marks
$placeHolders = implode(",", array_fill(0, count($gearSets), "?"));
// Prepare SQL statement with it
$stmt = mysqli_prepare($con,
"SELECT DISTINCT twoPieceBonus
FROM sets
WHERE setName IN ($placeHolders);");
// All gearSet values are strings:
$types = str_repeat("s", count($gearSets));
// Turn the gearSets into references
$gearSetRefs = [];
foreach ($gearSets as $i => $_) {
$gearSetRefs[] = &$gearSets[$i];
}
// Bind arguments
mysqli_stmt_bind_param($stmt, $types, ...$gearSetRefs); // the splat operator
// Now we are all set to (safely) execute the query
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
// Let the result of the URL decoding still be an array
$twoPieceBonus = [];
while ($row = mysqli_fetch_array($result)) {
$twoPieceBonus[] = urldecode($row['twoPieceBonus']);
}
mysqli_stmt_close ($stmt);
// ... and then use implode to insert those HTML breaks
$twoSelected = implode("</br></br>", $twoPieceBonus);
}
How do I change this function to another function. I don't want to use the get_result
I searched online but could not find an answer that could help me.
public function Select($Table_Name, $Conditions='' ,$Array_Conditions_Limit=NULL , $OrderBy='', $Limit='', $Selected_Fields='*')
{
$Query = "SELECT ".$Selected_Fields." FROM ".$Table_Name;
if(!empty($Conditions))
$Query .= " WHERE ".$Conditions;
if(!empty($OrderBy))
$Query .= " ORDER BY ".$OrderBy;
if(!empty($Limit))
$Query .= " LIMIT ".$Limit;
$Statment = $this->ConnectionResult->prepare($Query);
if(isset($Array_Conditions_Limit) )
{
$Statment = $this->DynamicBindVariables($Statment, $Array_Conditions_Limit);
$Statment->execute();
return $Statment->get_result();
}
else
$Statment->execute();
return $Statment->get_result();
}
This also functions dynamic bind variables
private function DynamicBindVariables($Statment, $Params)
{
if (is_array($Params) && $Params != NULL)
{
// Generate the Type String (eg: 'issisd')
$Types = '';
foreach($Params as $Param)
{
$Types .= $this->GetType($Param);
}
// Add the Type String as the first Parameter
$Bind_names[] = $Types;
// Loop thru the given Parameters
for ($i=0; $i<count($Params);$i++)
{
$Bind_name = 'bind' . $i;
// Add the Parameter to the variable
$$Bind_name = $Params[$i];
// Associate the Variable as an Element in the Array
$Bind_names[] = &$$Bind_name;
}
// Call the Function bind_param with dynamic Parameters
call_user_func_array(array($Statment,'bind_param'), $Bind_names);
}
elseif(isset($Params) && !empty($Params))
{
$Types = '';
$Types .= $this->GetType($Params);
$Statment->bind_param($Types ,$Params);
}
return $Statment;
}
I using the return value as follows:
$myresult =Select('post','post_category=?' ,2 );
$row = $myresul2->fetch_object()
First of all, I find this approach utterly useless. What are you actually doing is dismembering fine SQL sentence into some anonymous parts.
"SELECT * FROM post WHERE post_category=?"
looks WAY better than your anonymous parameters of which noone have an idea.
'post','post_category=?'
One can tell at glance what does first statement to do. and have no idea on the second. Not to mention it's extreme:
'post','post_category=?',NULL, NULL, 'username, password'
So, instead of this kindergarten query builder I would rather suggest a function that accepts only two parameters - a query itself and array with bound data:
$myresult = Select("SELECT * FROM post WHERE post_category=?", [2]);
To make it more useful, I wouild make separate functions to get different result types, making your second line with fetch_object() obsolete (however, speaking of objects, they are totally useless to represent a table row). Example:
$row = $db->selectRow("SELECT * FROM post WHERE post_category=?", [2]);
Look: it's concise yet readable!
As a further step you may wish to implement more placeholder types, to allow fields for ORDER BY clause be parameterized as well:
$data = $db->getAll('id','SELECT * FROM t WHERE id IN (?a) ORDER BY ?n', [1,2],'f');
you can see how it works, as well as other functions and use cases in my safeMysql library
I'm trying to do a little PDO CRUD to learn some PDO. I have a question about bindParam. Here's my update method right now:
public static function update($conditions = array(), $data = array(), $table = '')
{
self::instance();
// Late static bindings (PHP 5.3)
$table = ($table === '') ? self::table() : $table;
// Check which data array we want to use
$values = (empty($data)) ? self::$_fields : $data;
$sql = "UPDATE $table SET ";
foreach ($values as $f => $v)
{
$sql .= "$f = ?, ";
}
// let's build the conditions
self::build_conditions($conditions);
// fix our WHERE, AND, OR, LIKE conditions
$extra = self::$condition_string;
// querystring
$sql = rtrim($sql, ', ') . $extra;
// let's merge the arrays into on
$v_val = array_values($values);
$c_val = array_values($conditions);
$array = array_merge($v_val, self::$condition_array);
$stmt = self::$db->prepare($sql);
return $stmt->execute($array);
}
in my "self::$condition_array" I get all the right values from the ?. SO the query looks like this:
UPDATE table SET this = ?, another = ? WHERE title = ? AND time = ?
as you can see I dont use bindParams instead I pass the right values in the right order ($array) directly into the execute($array) method. This works like a charm BUT is it safe not use use bindParam here?
If not then how can I do it?
Thanks from Sweden
Tobias
Yes, it is safe. bindParam() associates a parameter with a variable, use it when you want value of a variable to be used when execute() is called. Otherwise what you are doing is fine.
PHP Docs on PDO bindParam()
Positional parameters become a nightmare when dealing with more than 3 or 4 parameters. Named parameters are verbose. I'm thinking of doing this:
query("SELECT * FROM users WHERE username = ", $username, " AND password = ", $password)
With dynamic parameters (using func_get_args()), every second one being transformed into a positional parameter.
I've never seen this before and wanted to know if anyone has done this before and why/why not?
Named parameters don't have to be verbose, at least not compared to positional parameters. You could use shortened versions that are still obvious:
$st = $dbh->prepare('SELECT * FROM users WHERE username = :u AND password = :p');
$st->bindValue(':u', $username);
$st->bindValue(':p', $password);
$st->execute();
It's a clever idea. The only problem I see is how to distinguish between SQL and passed-in variables. Unless you make an assumption that every second arg is a variable. I just think that assumption is fragile, and obfuscates things more than makes them clear.
Better way would probably be to use interpolation:
query("SELECT foo FROM bar WHERE id = #{id}", array("id" => "23"));
Then write logic to interpolate these.
I don't think positional parameters are so bad... this is my favorite method:
function mysql_safe_string($value) {
if(is_numeric($value)) return $value;
elseif(empty($value)) return 'NULL';
elseif(is_string($value)) return "'".mysql_real_escape_string($value)."'";
elseif(is_array($value)) return implode(',',array_map('mysql_safe_string',$value));
}
function mysql_safe_query($format) {
$args = array_slice(func_get_args(),1);
$args = array_map('mysql_safe_string',$args);
$query = vsprintf($format,$args);
$result = mysql_query($query);
if($result === false) echo '<div class="mysql-error"><strong>Error: </strong>',mysql_error(),'<br/><strong>Query: </strong>',$query,'</div>';
return $result;
}
// example
$result = mysql_safe_query('SELECT * FROM users WHERE username=%s', $username);