This question already has an answer here:
How to dynamically build queries with PDO
(1 answer)
Closed 7 years ago.
I want to use my variables in my mysql queries safely. Im using pdo for this. But i can't use pdo placeholders for table name.
This works;
$stmt = $db->prepare("SELECT * FROM table WHERE id=?");
$stmt->execute(array($id));
But this doesnt;
$stmt = $db->prepare("SELECT * FROM ? WHERE id=?");
$stmt->execute(array($table, $id));
What i'm doing wrong ?
Just do
$stmt = $db->prepare("SELECT * FROM ".$table." WHERE id=?");
$stmt->execute($id);
You can't use placeholders for table
That should not be a problem since the table name should be something you control.
here is the simple answer for you.
$statement = $db->prepare("SELECT * FROM table WHERE id=(:some_id)");
$statement->execute(array(':some_id' => $row['id']));
you should provide it with key => value format.
Related
This question already has answers here:
Single result from database using mysqli
(6 answers)
Closed 5 months ago.
I am trying to get a value from column "odznak" in "users" tab for user "user01" and store it in variable $odznak (for searching in another tab.
$stmt = $conn->prepare("SELECT odznak FROM users WHERE username = 'user01'");
$stmt->execute();
$result = $stmt;
$odznak;
You need to fetch the data (say into an associative array)
On the other hand, as a good practice, please use parameterized prepared statement in your select query
So, change to:
$stmt = $conn->prepare("SELECT odznak FROM users WHERE username = ?");
$stmt->bind_param("s", 'user01');
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_assoc();
$odznak=$row["odznak"];
Now, $odznak is the retrieved data
This question already has answers here:
Can I bind an array to an IN() condition in a PDO query?
(23 answers)
MySQLi Bind Param with an array for IN [duplicate]
(2 answers)
Closed 5 years ago.
I can not figure out how I can prepare my select statement.
$query = "SELECT name, art FROM table_one WHERE name LIKE ? AND art IN ?";
if ($stmt = $db_link->prepare($query)) {
$stmt->bind_param("ss", $name, $art);
$stmt->execute();
if ($stmt->errno){
//Deal with error
}
$name = "%Marc%";
$art = "('green', 'blue', 'red')";
$stmt->execute();
$stmt->bind_result($name, $art);
while ($stmt->fetch()){
//Output data
}
}
So the problem is, that something does not work with the syntax in the prepared statement. This is my first attempt at preparing statements.
I had the query working before without using a prepared statement, but I am forced to use that now.
The old query looked like this:
$query = "SELECT name, art FROM table_one WHERE name LIKE '%$name%' AND art IN ('$art')";
Thank you for your help.
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 5 years ago.
I have this code to get a COUNT DISTINCT data:
$param = 'email';
$stmt = $conn->stmt_init();
$stmt = $conn->prepare("SELECT COUNT(DISTINCT(?)) FROM contatos");
$stmt->bind_param('s',$param);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result($count);
while ($stmt->fetch()) {
echo $count;
}
But echo $count always returns 1, but i have dozens of records...
What is wrong?
Thanks
Binding is not allowed for column names (or table names). Your query is not executing correctly. You need to directly pass the name of the field.
$stmt = $conn->prepare("SELECT COUNT(DISTINCT(email)) FROM contatos");
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 7 years ago.
I have a Query like this in my PDO statement:
SELECT * FROM table WHERE ? = ? ORDER BY id DESC
I wanted to bind column name to first ? and the value to second ? (column = value)
I tried many things such as below, but they all fail or return empty array (when there should be result)
This returns empty array
$query = "SELECT * FROM table WHERE ? = ? ORDER BY id DESC"
$db->prepare($query);
$stmt->bindValue(1, $column, PDO::PARAM_STR);
$stmt->bindValue(2, $value, PDO::PARAM_STR);
and this one displays an error
$query = "SELECT * FROM table WHERE column = :value ORDER BY id DESC"
$db->prepare($query);
$stmt->bindColumn('column', $column);
$stmt->bindValue(':value', $value, PDO::PARAM_STR);
Column is variable, so i had to bind it and can't put it in query directly.
What am I doing wrong here? I tried many things but no luck...
Please note that I know how to bind values if column is static, my issue is when column is also variable like above.
It should be bindParam, but you can execute it with an array inside too that's the way I do it:
$query = $db->prepare( 'SELECT * FROM table WHERE column=\':value\' ORDER BY id DESC' );
$query->execute(array(
':value' => $value
));
This question already has answers here:
How do I create a PDO parameterized query with a LIKE statement?
(9 answers)
Closed 2 years ago.
I have a sql query like this:
SELECT * FROM tbl_name WHERE title Like "%:needle%"
When I query the MySQL db manually with this statement it works. But when I use it with PDO and with the same values for :needle as I queried manually It just returns an empty result set.
Does utf8 encoding affects the behavior of it?
With PDO, this can be done like:
$stmt = $db->prepare("SELECT * FROM tbl_name WHERE title LIKE :needle");
$needle = '%somestring%';
$stmt->bindValue(':needle', $needle, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
try like
$sql = 'SELECT * FROM tbl_name WHERE title Like ":needle"';
$prep = $dbh->prepare($sql);
$ret = $prep->execute(array(':needle' => '%'.$somestring.'%'));
The '%' needs to be in the variable, not the statement.
Put the '%' in the variable, and you should be fine.
'SELECT * FROM tbl_name WHERE title Like ":needle"'
$needle = "%$needle%";
This worked for me:
$sql = $conn->prepare("select * from itens where nome LIKE :nome");
$nome = "%".$item->getName()."%";
$sql->bindParam("nome",$nome);