FYI: this file is my very first touch with PDO.
I have converted a mysqli PHP file info a PDO PHP file, it works fine. File's goal is: if user does not pass any value on keys ($ca_key1 - $ca_key3) just insert data on DB. If keys are passed and do not exist on DB, insert data on DB. If they do exist, echo an error.
I knew PDO could seem redundant, but in this case where I use same parameters up to 3 times on the same file, I ask: is there any way of binding parameter just one time and use it on the 3 executions? For example, ca_key1 could be just binded once and used on the 3 executions?
If you find any error/mistake on the file apart from this, I would appreciate if you mention me. I'd like to adapt good habits on PDO from the begining.
<?php
session_start();
include("../conexionbbdd.php");
if($_SESSION['estado'] == 'activo'){
if (isset($_POST['ca_name'])&&isset($_POST['ca_content'])&&isset($_POST['ca_img'])&&isset($_POST['ca_key1'])&&isset($_POST['ca_key2'])&&isset($_POST['ca_key3'])){
//CHECK IF USER PASSED VALUES ON KEYS
$ca_key1=$_POST['ca_key1'];
$ca_key2=$_POST['ca_key2'];
$ca_key3=$_POST['ca_key3'];
//IF PASSED, CHECK IF VALUES EXIST ON DB
if ($ca_key1!=="" || $ca_key2!=="" || $ca_key3!==""){
$selectKeys= "SELECT ca_key1,ca_key2,ca_key3 FROM ws_campaigns WHERE ca_fk_us_id = :us_id AND ("
. " (ca_key1!='' AND ca_key1 = :ca_key1) OR (ca_key2!='' AND ca_key2 = :ca_key1) OR (ca_key3!='' AND ca_key3 = :ca_key1) "
. "OR (ca_key1!='' AND ca_key1 = :ca_key2) OR (ca_key2!='' AND ca_key2 = :ca_key2) OR (ca_key3!='' AND ca_key3 = :ca_key2)"
. "OR (ca_key1!='' AND ca_key1 = :ca_key3) OR (ca_key2!='' AND ca_key2 = :ca_key3) OR (ca_key3!='' AND ca_key3 = :ca_key3))";
$statementKeys = $pdo->prepare($selectKeys);
$statementKeys->bindParam(':us_id', $_SESSION['id'], PDO::PARAM_INT);
$statementKeys->bindParam(':ca_key1', $_POST['ca_key1'], PDO::PARAM_STR);
$statementKeys->bindParam(':ca_key2', $_POST['ca_key2'], PDO::PARAM_STR);
$statementKeys->bindParam(':ca_key3', $_POST['ca_key3'], PDO::PARAM_STR);
$statementKeys->execute();
$cuenta = $statementKeys->rowCount();
//IF NOT EXIST, INSERT DATA
if ($cuenta === 0){
$insertCampaign = "INSERT INTO ws_campaigns(ca_id,ca_name, ca_content,ca_fk_us_id,ca_img,ca_prefix,ca_key1,ca_key2,ca_key3
)VALUES('',:ca_name,:ca_content,:us_id,:ca_img,'34',:ca_key1,:ca_key2,:ca_key3)";
$statementInsertCampaign = $pdo->prepare($insertCampaign);
$statementInsertCampaign->bindParam(':us_id', $_SESSION['id'], PDO::PARAM_INT);
$statementInsertCampaign->bindParam(':ca_name', $_POST['ca_name'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_content', $_POST['ca_content'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_img', $_POST['ca_img'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_key1', $_POST['ca_key1'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_key2', $_POST['ca_key2'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_key3', $_POST['ca_key3'], PDO::PARAM_STR);
$statementInsertCampaign->execute();
$newId = $pdo->lastInsertId();
echo $newId;
}
else{
echo "No se ha creado la campaña. <br>Alguna de las palabras clave utilizadas ya están presentes en una campaña anterior.";
}
}else{
//IF NO VALUES PASSED, INSERT DATA
$insertCampaign = "INSERT INTO ws_campaigns(ca_id,ca_name, ca_content,ca_fk_us_id,ca_img,ca_prefix,ca_key1,ca_key2,ca_key3
)VALUES('',:ca_name,:ca_content,:us_id,:ca_img,'34',:ca_key1,:ca_key2,:ca_key3)";
$statementInsertCampaign = $pdo->prepare($insertCampaign);
$statementInsertCampaign->bindParam(':us_id', $_SESSION['id'], PDO::PARAM_INT);
$statementInsertCampaign->bindParam(':ca_name', $_POST['ca_name'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_content', $_POST['ca_content'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_img', $_POST['ca_img'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_key1', $_POST['ca_key1'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_key2', $_POST['ca_key2'], PDO::PARAM_STR);
$statementInsertCampaign->bindParam(':ca_key3', $_POST['ca_key3'], PDO::PARAM_STR);
$statementInsertCampaign->execute();
$newId = $pdo->lastInsertId();
echo $newId;
}
}else{
header('location:../paneles/campana.php?msg=nodata');
}
}else{
header('location:../login.php?msg=nopermission');
}
?>
Actually, you don't have to bind [explicitly] at all.
PDO is a great step further compared to mysqli, and this is one of it benefits: you can create an array of variables, and pass them directly into execute(), instead of binding them one by one - PDO will bind them internally, using PDO::PARAM_STR by default, which is not a problem most of time, save for only one case - LIMIT clause parameres.
It is not only greatly reduces amount of code, but also let you to reuse the same set of variables with different queries.
$data = array(
'us_id' => $_SESSION['id'],
'ca_name' => $_POST['ca_name'],
// and so on
);
$stmt->execute($data);
Of course, array keys have to match placeholders in the query. If your queries have different sets of placeholders, you will need different arrays as well.
Related
I just want to know if these 2 sets of code are doing the same thing or not, if not what's the difference?
$connect= new CONNECT();
$sql = ("query here");
$stmt = $connect->runQuery($sql);
$stmt->bindParam(':sample', $_POST['sample'], PDO::PARAM_STR);
$stmt->bindParam(':sample2', $_POST['sample2'], PDO::PARAM_STR);
$stmt->bindParam(':sample3', $_POST['sample3'], PDO::PARAM_STR);
$stmt->execute();
=======================AND========================
$connect= new CONNECT();
$sql = ("query here");
$stmt = $connect->runQuery($sql);
$stmt->execute(Array(
':sample1' => $_POST['sample'],
':sample2' => $_POST['sample2'],
':sample3' => $_POST['sample3']
));
FYI, both work perfectly, just wanting to know if I'm getting the full security benefit using either one. Thanks.
By passing the parameters along with the $stmt->execute() method, all values in the array with be passed, as PDO::PARAM_STR to the statement with the $stmt->bindParam() function.
And with the $stmt->bindParam() function, you can define the data type passed along, using the PDO::PARAM_*
Read more about PDO::PARAM_
I hope someone can point out where I am going wrong with this update, I have tried various ways but just can't seem to get it to work, probably a simple mistake but I just can't seem to find it.
function set_live($row_id, $mobile_number)
{
global $conn;
$live = 1;
$sql = "
UPDATE
connections
SET
live = :live,
voice_number = :mobile_number
WHERE
id = :row_id";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':mobile_number', $mobile_number, PDO::PARAM_INT);
$stmt->bindParam(':row_id', $row_id, PDO::PARAM_INT);
$stmt->bindParam(':live', $live, PDO::PARAM_INT);
$stmt->execute();
echo "Record edited successfully";
$conn=null;
}
$conn is the PDO connection which works with SELECT's etc
All variables are numbers and all echo OK so are in the function
I can run the query with the actual values in phpmyadmin and it works OK
Just replace this line
$stmt->bindParam(':mobile_number', $mobile_number, PDO::PARAM_INT);
with this
$stmt->bindParam(':mobile_number', $mobile_number, PDO::PARAM_STR);
Because the phone number length is more than integer.
Why not try using an Array? That approach may well do the Trick for you:
<?php
function set_live($row_id, $mobile_number){
global $conn;
$live = 1;
$sql = "UPDATE connections SET live=:live, voice_number=:mobile_number WHERE id=:row_id";
$stmt = $conn->prepare($sql);
$params = array(
"live" =>$live,
"mobile_number" =>$mobile_number,
"row_id" =>$row_id,
);
$stmt->execute($params);
echo "Record edited successfully";
$conn=null;
}
I have some method to insert some data into a database like this:
public function register($username, $email, $hashedPassword, $activationCode)
{
try {
$conn = Database::getConnection();
// Connect and create the PDO object
$conn->exec('SET CHARACTER SET utf8'); // Sets encoding UTF-8
// Define and prepare an INSERT statement
$sql = 'INSERT INTO users (username, email, pass, reset_token, dateAdded )
VALUES (:username, :pass, :email, :token, now())';
$sqlprep = $conn->prepare($sql);
// Adds value with bindParam
$sqlprep->bindParam(':username', $username, PDO::PARAM_STR);
$sqlprep->bindParam(':email', $email, PDO::PARAM_STR);
$sqlprep->bindParam(':pass', $hashedPassword);
$sqlprep->bindParam(':token', $activationCode);
// If the query is successfully executed, output the value of the last insert id
if ($sqlprep->execute()) {
//echo 'Succesfully added the row with id='. $conn->lastInsertId();
$this->result = true;
}
$conn = null; // Disconnect
} catch (PDOException $e) {
include('../views/error.php');
include('../views/admin/includes/footer.php');
exit();
}
}
The problem is I think it's not a good method if I have so many arguments for my function to enter into a database. So is it any good way I can enter a lot of fields just by using 1 parameter but still using bindParam? Since I see a lot of examples is only using prepare without bindParam. I think I can use an array, but I don't know the proper way to do it. So I need some help how I can do it.
since you want keep your bindparam i suggest you use input like this:
$input = array('username' => $username, 'activationHash' => $activationHash);
and in your bindParam add a code like this:
public function register($input){
//code
$sqlprep->bindParam(':username', $input['username'], PDO::PARAM_STR);
//other
}
hope this will solve your problem
https://stackoverflow.com/a/10060755/1747411
Check second example, you have to repeat values with binds
e.g
VALUES (:username1, :pass1, :email1, :token1, now()), (:username2, :pass2, :email2, :token2, now())
and bindParam with loop
You can insert the params as an array into $sqlprep->execute($param_array)
Or, simply passing each param into an array inside execute, like this: $sqlprep->execute(array($param1, $param2))
Update:
Pass values into $input as an array:
$input = array('username' => $username, 'activationHash' => $activationHash); //and so on
Now on the model side,
You can bind these values to params using foreach loop like this:
foreach ($values as $key => $value) {
$sqlprep->bindParam(':' . $key, $value , PDO::PARAM_STR);
}
Good evening to everyone,
Sorry if my question apperes sily but I'm pazzled by my very trivial problem
In one of the pages of my project I can't concatenate a string containing ' signs
this string can't be concatenated:
$stidR = "INSERT INTO rec_ret_info VALUES('".$rrcode."', ".$modnum.", '".$sdate."', '".$venue."', ".$fac.", ".$date.", ".$sem.")";
but this can:
$stidR = "INSERT INTO rec_ret_info VALUES(".$rrcode.", ".$modnum.", ".$sdate.", ".$venue.", ".$fac.", ".$date.", ".$sem.")";
Apparently if I remove ' signs it works. But i really need them. I really don't know where is the problem. Would be gratefull if you can point me on it.
Can you use a prepared statement to bind a variable?
Connection to Oracle with PDO - More information!
Update
PDO Prepared Statement as an example. The only thing you need to change is the query structure if Oracle is different to MySql in that regard. The binding of variables and the execution will work the same :)
$queryString= "INSERT INTO tablename (ColumnName1,ColumnName2,ColumnName3,ColumnName4,ColumnName5,ColumnName6,ColumnName7) VALUES (?,?,?,?,?,?,?)";
$query = $db->prepare($queryString);
$query->bindValue(1, $variable1, PDO::PARAM_STR);
$query->bindValue(2, $variable2, PDO::PARAM_STR);
$query->bindValue(3, $variable3, PDO::PARAM_STR);
$query->bindValue(4, $variable4, PDO::PARAM_STR);
$query->bindValue(5, $variable5, PDO::PARAM_STR);
$query->bindValue(6, $variable6, PDO::PARAM_STR);
$query->bindValue(7, $variable7, PDO::PARAM_STR);
$query->execute();
simply make echo of your statement like
echo $stidR ; and check the resulting sql, and see what you are doing wrong
Is there an easy way to echo the value stored in a bound parameter.
$sql ="call storedproc(:firstname, :lastname)";
$stmt = $this->DBH->prepare($sql);
$stmt->bindParam(':firstname', $fname);
$stmt->bindParam(':lastname', $lname);
//I want to do this
echo $stmt->firstname;
$stmt->execute;
If you only want to "see" what's going on then there's PDOStatement->debugDumpParams():
Dumps the informations contained by a prepared statement directly on the output. It will provide the SQL query in use, the number of parameters used (Params), the list of parameters, with their name, type (paramtype) as an integer, their key name or position, the value, and the position in the query (if this is supported by the PDO driver, otherwise, it will be -1).
<?php
function parms($string,$data) {
$indexed=$data==array_values($data);
foreach($data as $k=>$v) {
if(is_string($v)) $v="'$v'";
if($indexed) $string=preg_replace('/\?/',$v,$string,1);
else $string=str_replace(":$k",$v,$string);
}
return $string;
}
$string='INSERT INTO stuff(name,value) VALUES (?,?)';
$data=array('Fred',23);
$string='INSERT INTO stuff(name,value) VALUES (:name,:value)';
$data=array('name'=>'Fred','value'=>23);
print parms($string,$data);
$update = "update registration";
$update .= " set status=:statusid";
$update .= " where refid=:refid";
$stmt = $db->prepare($update);
$data=array('statusid' => $statusid,'refid' => $refid);
echo parms($update,$data); // checking bind values
exit;
$stmt->execute(array ('statusid' => $statusid,'refid' => $refid));
?>
//output
update registration set status='all' where refid='45'