I have a problem with my pdo request.
My request works (I tried it directly with phpMyAdmin), but when $name contains char "&", it seems that bindValue doesn't work.
public static function get_by_name($name, $project_id)
{
$statement = Element::$db->prepare('SELECT * FROM Elements WHERE name = :name AND project_id = :project_id');
$statement->bindValue(':name', $name, PDO::PARAM_STR);
$statement->bindValue(':project_id', $project_id, PDO::PARAM_STR);
$statement->execute();
$result = $statement->fetch(PDO::FETCH_ASSOC);
if($result)
return $result;
else
return null;
}
I echoed the value of $name in my function and the value is right.
Thanks for your help.
Related
I have been converting a small login script i did to PDO trying to give it a try.
Code mysqli
$stmt = $conn->prepare('SELECT id, name FROM users WHERE id = ?');
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($id, $name);
if ($stmt->fetch()) {
$_SESSION['id'] = $id;
$_SESSION['name'] = $name;
$is_valid = true;
} else {
$is_valid = false;
self::logout();
}
I changed to PDO
$sql = "SELECT id, name FROM users WHERE id = :id";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':id', $id);
$stmt->bindParam(':name', $name);
$stmt->execute();
if ($stmt->fetch())
{
$_SESSION['id'] = $id;
$_SESSION['name'] = $name;
$is_valid = true;
} else {
$is_valid = false;
self::logout();
}
in mysqli i was able to bind and store $id and $name but read those were not available in PDO
$stmt->store_result();
$stmt->bind_result($id, $name);
There's no equivalent of bind_result in PDO because you don't really need it. Just read the data from the row:
if ($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
$_SESSION['id'] = $row["id"];
$_SESSION['name'] = $row["name"];
$is_valid = true;
}
You also don't need the $stmt->bindParam(':name', $name); line because there is no :name input parameter in your SQL.
More examples are available in the manual and elsewhere.
See also Is it possible to use store_result() and bind_result() with PHP PDO? for more useful background info.
The equivalent method is called bindColumn(). You can bind a variable to one column in the result set.
/* Bind by column number */
$stmt->bindColumn(1, $id);
$stmt->bindColumn(2, $name);
while ($stmt->fetch(PDO::FETCH_BOUND)) {
print $name . "\t" . $id. "\n";
}
However, I would recommend writing simpler code. PDO is designed to be easier to use.
If you want to make the code simpler, use arrays. The method fetch() returns an array with the current row. They are better when you need to fetch more than one column from the result. If you only need to fetch one column, use fetchColumn().
$sql = "SELECT id, name FROM users WHERE id = :id";
$stmt = $conn->prepare($sql);
$stmt->execute([
'id' => $id,
'name' => $name,
]);
if ($row = $stmt->fetch()) {
$_SESSION['id'] = $row['id'];
$_SESSION['name'] = $row['name'];
$is_valid = true;
} else {
$is_valid = false;
self::logout();
}
I am making a method in my class, where the parameters for the method are $sql, $types, $values .
function getResult($sql, $types, $values){
$stmt = $this->conn->prepare($sql);
$stmt->bind_param( "$types" , ...$values);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows > 0) {
return $result;
} else{
return "There is no such row";
}
}
But i wonder, maybe i could make a function where $types are automatically generated based on the count of $values and give it a string ("s"). Something like this:
function getResult($sql, $values){
$stmt = $this->conn->prepare($sql);
$types = str_repeat("s", count($values));
$stmt->bind_param( $types, ...$values);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows > 0) {
return $result;
} else{
return "There is no such row";
}
}
Is it bad practise? It would make the code smaller
Yes, you absolutely can use strings to bind every single parameter. Binding parameters as strings works 99.99% of the time. There are only a handful of cases in MySQL where the type of the parameter matters.
What you can do is create a function that takes $types as an optional argument. That would be the best practice because it leaves you with an option to specify types if you really need them.
function getResult(string $sql, array $values, ?string $types = null): ?mysqli_result
{
$stmt = $this->conn->prepare($sql);
if (is_null($types)) {
$types = str_repeat("s", count($values));
}
$stmt->bind_param($types, ...$values);
$stmt->execute();
return $stmt->get_result() ?: null;
}
P.S. It's a bad idea to have the function return two types of values. Type hint your functions and stick to a single type.
I'm kind of new with PDO and currently developing the API call that returns search results. How do I set a prepare statement if there are 2 optional parameters for the search query?
$app->get('/get/search', function () {
$sql = 'SELECT * FROM user WHERE name LIKE :name AND city = :city AND gender = :gender';
try {
$stmt = cnn()->prepare($sql);
$stmt->bindParam(':name', '%'.$_GET['name'].'%', PDO::PARAM_STR);
$stmt->bindParam(':city', '%'.$_GET['city'].'%', PDO::PARAM_STR);
$stmt->bindParam(':gender', $_GET['gender'], PDO::PARAM_INT);
$stmt->execute();
if($data = $stmt->fetchAll()) {
echo json_encode($data);
} else {
echo json_encode(array('error' => 'no records found');
}
} catch(PDOException $e) {
echo json_encode(array('error' => $e->getMessage()));
}
}
The issue here, is that both $_GET['city'] and $_GET['gender'] are optional. If I try to run the code above, it will asume that any empty variable should match an empty value in the column as well; in the other hand, if I do something like this:
if($_GET['gender']) $stmt->bindParam(':gender', $_GET['gender'], PDO::PARAM_INT);
...it will return this error: "SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens"
So, what's the solution if I want to keep the prepared sql statement for optional parameters? Thanks!
Update
This is the solution based on the accepted answer and some comments (by deceze and bill-karwin):
if($_GET['name']) $where[] = 'name LIKE :name';
if($_GET['city']) $where[] = 'city LIKE :city';
if(isset($_GET['gender'])) $where[] = 'gender = :gender';
if(count($where)) {
$sql = 'SELECT * FROM user WHERE '.implode(' AND ',$where);
$stmt = cnn()->prepare($sql);
$name = '%'.$_GET['name'].'%';
if($_GET['name']) $stmt->bindValue(':name', '%'.$_GET['name'].'%', PDO::PARAM_STR);
$city = '%'.$_GET['city'].'%';
if($_GET['city']) $stmt->bindParam(':city', $city, PDO::PARAM_STR);
if(isset($_GET['gender'])) $stmt->bindParam(':gender', $_GET['gender'], PDO::PARAM_BOOL);
$stmt->execute();
if($data = $stmt->fetchAll()) {
echo json_encode($data);
}
}
Some good old dynamic SQL query cobbling-together...
$sql = sprintf('SELECT * FROM user WHERE name LIKE :name %s %s',
!empty($_GET['city']) ? 'AND city = :city' : null,
!empty($_GET['gender']) ? 'AND gender = :gender' : null);
...
if (!empty($_GET['city'])) {
$stmt->bindParam(':city', '%'.$_GET['city'].'%', PDO::PARAM_STR);
}
...
You can probably express this nicer and wrap it in helper functions etc. etc, but this is the basic idea.
There is a nice little function which can help: tiniest query builder. No frameworks or ORMs needed to make code look like this:
public function updateUser(int $id, string $email = '', string $password = '', string $name = '') {
$sql = \App\Utils\build_query([
[ 'UPDATE "users"'],
[$email ,'SET', 'email=:email'],
[$password ,',', 'password=:password'],
[$name ,',', 'name=:name'],
[ 'WHERE "id"=:id']
]);
$stmt = $this->db->prepare($sql);
$stmt->bindValue(':id', $id, \PDO::PARAM_INT);
// Optional bindings.
$email && $stmt->bindValue(':email', $email, \PDO::PARAM_STR);
$password && $stmt->bindValue(':password', $password, \PDO::PARAM_STR);
$name && $stmt->bindValue(':name', $name, \PDO::PARAM_STR);
$stmt->execute();
}
Note how neatly query components are created, with support for optional ones of course. The && experssions by bindings simply check whether this parameter is given, and if it is, then appropriate bindValue are called.
Nested function inside of fetch (which is inside of another function) does not perform.
fn_smth1 is nested inside of fn_smth2 and should output result via fn_smth2
Example below is a simplified version.
function fn_smth1 ($id){
global $mysqli;
$stmt = $mysqli->stmt_init();
if ($stmt->prepare("SELECT code FROM at WHERE id = ?")){
$stmt->bind_param("i",$id);
$stmt->execute();
$stmt->bind_result($code);
if ($stmt->fetch()){
$code_displ = $code;
}
}
$stmt->close;
return $code_displ;
}
function fn_smth2($id){
global $mysqli;
$stmt = $mysqli->stmt_init();
if ($stmt->prepare("SELECT idx, name FROM at WHERE id = ?")){
$stmt->bind_param("i",$id);
$stmt->execute();
$stmt->bind_result($idx, $name);
if ($stmt->fetch()){
$code_displ = $name.' === '.fn_smth1($idx);
}
}
$stmt->close;
return $code_displ;
}
echo fn_smth2(1);
//expected
some name here === some code here
//received
some name here === null (function fn_smth1 does not give a value)
You're trying to execute second prepared statement, while the resultset from the first one has not been stored yet. Use mysqli_stmt::store_result() before trying to execute second statement.
I'm working with a SQL Server stored procedure that returns error codes; here is a very simple snippet of the SP.
DECLARE #ret int
BEGIN
SET #ret = 1
RETURN #ret
END
I can get the return value with the mssql extension using:
mssql_bind($proc, "RETVAL", &$return, SQLINT2);
However, I can't figure out how to access the return value in PDO; I'd prefer not to use an OUT parameter, as alot of these Stored Procedures have already been written. Here is an example of how I am currently calling the procedure in PHP.
$stmt = $this->db->prepare("EXECUTE usp_myproc ?, ?");
$stmt->bindParam(1, 'mystr', PDO::PARAM_STR);
$stmt->bindParam(2, 'mystr2', PDO::PARAM_STR);
$rs = $stmt->execute();
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
Check out MSDN for info on how to correctly bind to this type of call
Your PHP code should probably be tweaked to look more like this. This may only work if you're calling through ODBC, which is honestly the strongly preferred way to do anything with SQL Server; use the SQL Native Client on Windows systems, and use the FreeTDS ODBC driver on *nix systems:
<?php
$stmt = $this->db->prepare("{?= CALL usp_myproc}");
$stmt->bindParam(1, $retval, PDO::PARAM_STR, 32);
$rs = $stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
echo "The return value is $retval\n";
?>
The key thing here is that the return value can be bound as an OUT parameter, without having to restructure the stored procedures.
Just had this same problem:
<?php
function exec_sproc($sproc, $in_params)
{
global $database;
$stmnt = $database->prepare("EXEC " . $sproc);
if($stmnt->execute($in_params))
{
if($row = $stmnt->fetch())
{
return $row[0];
}
}
return -1;
}
?>
can't u use SELECT to return the results?
Then you can use a dataset (resultset in php?) to pick it up?
I don't know know PHP, but in c# its quite simple - use a dataset.
pretty sure PDO::exec only returns number of rows.. this would be $rs in your example
If I understand your question properly you shouldn't have to call fetchAll()...
$stmt = $this->db->prepare("EXECUTE usp_myproc ?, ?");
$stmt->bindParam(1, $mystr, PDO::PARAM_STR);
$stmt->bindParam(2, $mystr2, PDO::PARAM_STR);
$rs = $stmt->execute();
echo "The return values are: $mystr , and: $mystr2";
PDOStatement::bindParam
public function callProcedure($sp_name = null, $sp_args = []) {
try {
for($i = 0; $i < count($sp_args); $i++) {
$o[] = '?';
}
$args = implode(',', $o);
$sth = $connection->prepare("CALL $sp_name($args)");
for($i = 0, $z =1; $i < count($sp_args); $i++, $z++) {
$sth->bindParam($z, $sp_args[$i], \PDO::PARAM_STR|\PDO::PARAM_INPUT_OUTPUT, 2000);
}
if($sth->execute()) {
return $sp_args;
}
} catch (PDOException $e) {
this->error[] = $e->getMessage();
}
}
I had a similar problem and was able to solve it by returning the execute like so...
function my_function(){
$stmt = $this->db->prepare("EXECUTE usp_myproc ?, ?");
$stmt->bindParam(1, 'mystr', PDO::PARAM_STR);
$stmt->bindParam(2, 'mystr2', PDO::PARAM_STR);
return $stmt->execute();
}
All that is left is to call the function using a variable and then analyse said variable.
$result = my_function();
You can now analyse the contents of $result to find the information you're looking for. Please let me know if this helps!
Try $return_value