This question already has answers here:
How can I bind an array of strings with a mysqli prepared statement?
(7 answers)
Closed 2 years ago.
I've been trying to figure this out.
$insertSql = 'INSERT INTO table (id,date,name,numFarts) VALUES (?,?,?,?)';
$values = (1,'0000-00-00 00:00:00','Bob',5);
$bind_param_str = ('issi');
if ($stmt = $db->prepare ($insertSql)) { // $inserSql is a pre-writted sql insert
$stmt->bind_param($bind_param_str,$values);
$stmt->execute();
$stmt->close();
}
This doesn't work, but I can't think of any other way to pass $values into bind_param()
Any ideas?
For any function that you need to pass an array as the argument/s you can use call_user_func_array.
In this example:
array_unshift($values,$bind_param_str);
call_user_func_array(array($stmt,'bind_param'),$values);
Don't ask me why you need array($stmt,'bind_param') instead of $stmt->bind_param. Has something to do with the syntax of -> I'm sure.
The clean solution (PHP5.6+) :
$stmt->bind_param($bind_param_str, ...$values);
Related
This question already has answers here:
PHP generate dynamic PDO insert
(5 answers)
update table using dynamic prepared statements
(2 answers)
Insert/update helper function using PDO
(11 answers)
Closed 3 years ago.
I am making a really small script, that allows you to make an insert query, based on an array.
So the only thing that you need to do is define the $table and add an array to the function.
public function makeRecord($table, $array){
$array_keys = array_keys($array);
$array_values = array_values($array);
$keys = implode(',', $array_keys);
$values = implode(',', $array_values);
$this->DB->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO $table ($keys)
VALUES ($values)";
return $this->DB->exec($sql);
}
The next code will generate an SQL query like this.
INSERT INTO Users (UserName,Password) VALUES (daan,welkom01).
But it needs to be
INSERT INTO Users ('UserName', 'Password') VALUES ('daan','welkom01')
What is the best way to fix this :)?
This question already has answers here:
MySQLi Bind Param with an array for IN [duplicate]
(2 answers)
Closed 4 years ago.
I have this select:
$stmt = $mysqli->prepare("select following from following where user =? and block=0");
$stmt->bind_param('i', $user);
$stmt->execute();
$stmt->bind_result($followers);
$stmt->fetch();
$stmt->close();
I'd like to use $followers in another mysql conection:
select... from ... where (p.user in (?))
in this ? I'd like to place the $followers variable in mysql in format. (1,5,7,2).
Any ideas how to convert the bind_result $followers into this mysql in format?
One way to accomplish this would be to create another string variable and append the result of $followers in a while loop.
I typically work in procedural style, and I am assuming that your statement returns multiple rows into $followers:
$sql_in_string = ''; // initialize string variable as blank
while (mysqli_stmt_fetch($stmt)){
$sql_in_string = $sql_in_string . $followers . "," ; // append value + comma
}
$sql_in_string = rtrim($sql_in_string,","); // remove the final comma
At this point, $sql_in_string should have your values as "1,2,3" format and then you can bind that parameter to your next query.
This question already has answers here:
PHP - Using PDO with IN clause array
(9 answers)
Closed 5 years ago.
I have this code:
$Array=array();
array_push($Array,"Email1","Email2");
$Array=implode("','",$Array);
$Array="'$Array'";
echo "$Array" //Will output 'Email1','Email2'
$Check=$connection->prepare("SELECT ID FROM USERS WHERE EMAIL IN(:Array)");
$Check->execute(array(
':Array' => $Array,
));
This query won't work but if I write:
$Check=$connection->prepare("SELECT ID FROM USERS WHERE EMAIL IN('Email1','Email2')");
$Check->execute(array(
':Array' => $Array,
));
This works, but I won't bind the array to avoid SQL Injection.
How can I fix it?
You don't want to bind the imploded list as one element but rather each of the values individually using ? so the end of the statement would be WHERE EMAIL IN (?,?):
$values = ["Email1","Email2"];
# This should give you ?,?
$bindstr = implode(",",array_fill(0,count($values),'?'));
$query = $connection->prepare("SELECT ID FROM USERS WHERE EMAIL IN({$bindstr})");
# Use the raw values individually in the execute
$query->execute($values);
Hopefully that should get results back you are looking for.
This question already has answers here:
What is the difference between bindParam and bindValue?
(7 answers)
Closed 7 years ago.
This is my php code:
public function update($table,$fields_and_values,$condition_field,$condition_field_value)
{
$query="UPDATE $table SET ";
foreach($fields_and_values as $field=>$value) $query.=($field."=:".$field." ,");
$query.=" ";
$query=str_replace(", "," WHERE ",$query);
$query.=($condition_field."='".$condition_field_value."'");
echo $query;
$stmt=$this->conn->prepare($query);
foreach($fields_and_values as $field=>$value) $stmt->bindParam(":".$field,$value);
$stmt->execute();
}
and this is how i call the function in my class:
$db=new db_connection('localhost','root','','maps');
$db->connect();
$arr=array('username'=>'testfromnewclass3','password'=>'123456');
$db->update('users',$arr,'username','term');
$db->disconnect();
It doesn't matter what the other functions like disconnect do! They work correctly.
My problem is that when this command executes, both username and password become 123456 !
And this is what i get from that echo $query:
UPDATE users SET username=:username ,password=:password WHERE username='term'
Is something wrong with my function? and if so how can i fix it?
Use $stmt->bindValue($field, $value);
instead of $stmt->bindParam(":".$field,$value);
Check this to understand difference between PDOStatement::bindParam() and PDOStatement::bindValue()
This question already has an answer here:
Using PDO without binding
(1 answer)
Closed 9 years ago.
I'm trying to make my SQL calls more secure and I encounter 2 ways of making prepared statements, I was wondering if there is any difference between them.
This is the Query:
$query =
"INSERT INTO companies
VALUES(
NULL,
:name,
:assignation,
:priority
)";
1)
$statement = $pdoDbInstance->prepare($query);
$statement->bindValue(':name', $name);
$statement->bindValue(':assignation', $assignation);
$statement->bindValue(':priority', $priority);
$result = $statement->execute();
2)
$statement = $pdoDbInstance->prepare($query);
$result = $statement->execute(array(":name" => $name, ":assignation" => $assignation, ":priority" => $priority));
Is there any significant difference between them????
According to https://stackoverflow.com/a/12392590/2124401, it is a matter of whether you need to enforce the datatype. Execute always passes strings, so if you want something different or a specific datatype, use bindValue or bindParam. Otherwise, they are just a matter of preference.