This question already has answers here:
pdo prepared statements with wildcards
(2 answers)
Closed 7 years ago.
I am trying to use a like statement in the function format. I received a lot of results using mysql or pdo formats, but they didn't work for my format i have set up already. It's just not returning anything and I am not sure if this is the correct format. Here is what I have:
function search_users($namesearch){
global $db;
$query = "SELECT * FROM users
WHERE username LIKE '%:namesearch%'
ORDER BY username";
$statement = $db->prepare($query);
$statement->bindValue(":namesearch", $namesearch);
$statement->execute();
$usersearch= $statement->fetchAll();
$statement->closeCursor();
return $usersearch;
}
I'd do it like this.
function search_users($namesearch){
global $db;
$query = "SELECT * FROM users
WHERE username LIKE ?
ORDER BY username";
$statement = $db->prepare($query);
$statement->execute(array('%' . $namesearch . '%'));
$usersearch= $statement->fetchAll();
$statement->closeCursor();
return $usersearch;
}
Related
This question already has an answer here:
Correct way to use LIKE '%{$var}%' with prepared statements?
(1 answer)
Closed 1 year ago.
I should execute this method,
but I don't know how pass %research value as LIKE parameter in bind:
public function researchElements($research) {
$stmt = $this->db->prepare("SELECT * FROM product WHERE product_name LIKE "'%?%'"");
$stmt->bind_param('s', $research);
$stmt->execute();
$result = $stmt->get_result();
$result = $result->fetch_all(MYSQLI_ASSOC);
return $result;
}
At least you can use in your query CONCAT function like next:
$stmt = $this->db->prepare("SELECT * FROM product WHERE product_name LIKE CONCAT('%',?,'%')");
Note: if $research variable gets value '', then query will return all rows from the table.
This question already has answers here:
Can I parameterize the table name in a prepared statement? [duplicate]
(2 answers)
Closed 5 years ago.
It is working
$result = $conn->prepare("SELECT * FROM questions");
$result->execute();
But this not
$result = $conn->prepare("SELECT * FROM (?)");
$result -> bind_param("s", $name_tb);
$name_tb = "questions";
$result->execute();
The error is:
Call to a member function bind_param() on boolean
This won't work.
It is actually not possible to bind table names. You can only bind query parameters. What you can do is something like:
$table = "TABLENAME";
query($table);
function query($table) {
$sql = "SELECT * FROM $table";
}
For sure you have to edit the content of the function that it'll work. Its just to show you an example. But keep in mind: No tablenames. Only parameters with bind.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I've been stuck on this for about 3 days now and asked multiple people about this and no one seems to have an answer to me why this is not working. I cannot figure out why they aren't binding because the bindings work on the select statement but not the update. I know for a fact that $sessCheck['userid'] and $sessCheck['hwid'] are being set because I already printed them out to check if they were null or something.
The request inbound from slim
{"userid": "1000","hwid":"TESTING"}
The function
function updateHWID(){
$request = Slim::getInstance()->request();
//$bsreq = utf8_encode();
$sessCheck = json_decode($request->getBody(), true, 9 );
$db = getConnection();
$sql = "SELECT userid,hwID FROM accounts WHERE userid = :userid";
$stuff = $db->prepare($sql);
$stuff->bindParam("userid", $sessCheck['userid']);
$stuff->execute();
$db = null;
$rows = $stuff->fetch(PDO::FETCH_ASSOC);
if ($rows['hwID'] != $sessCheck['hwid']) {
$sql2 = "UPDATE accounts SET hwID=':hwid' WHERE userID = ':userid';";
try {
$db2 = getConnection();
$stmt = $db2->prepare($sql2);
//these two param's are not binding
$stmt->bindParam("userid", $sessCheck['userid']);
$stmt->bindParam("hwid", $sessCheck['hwid']);
$stmt->execute();
//$rt = $stmt->fetch(PDO::FETCH_ASSOC);
//$stmt->debugDumpParams();
} catch(PDOException $e) {
echo '{"error":{"text":'. $e->getMessage() .'}}';
}
}
}
This is the result incoming on the sql log
1372 Query UPDATE accounts SET hwID=':hwid' WHERE userID = ':userid'
I've also tried this as well as using the which also didn't work
$stmt->bindParam(":userid", $sessCheck['userid']);
$stmt->bindParam(":hwid", $sessCheck['hwid']);
Then I tried this too and it didn't work
$stmt = $db2->prepare("UPDATE accounts SET hwID='?' WHERE userID = '?';");
$stmt->bindParam(1, $sessCheck['hwid'], PDO::PARAM_STR);
$stmt->bindParam(2, $sessCheck['userid'], PDO::PARAM_INT);
Take the binded parameter names out of their single quotes.
so:
$sql2 = "UPDATE accounts SET hwID=:hwid WHERE userID = :userid;";
This question already has answers here:
MySQL "LIKE" search doesn't work
(2 answers)
Closed 7 years ago.
I am attempting to create a search function for my website using PDO. At the moment I send the search query through the URL and then try to fetch the results however whenever I do a var dump it returns null. I tested the query on PHP my admin and it returns around 4 results.
I use a class I created to connect to the database, this works on all my other queries.
Here is my search function
function search($query) {
$sql = "SELECT * FROM `Sweets` WHERE `Description` LIKE :search";
$stmt = $this->connection->prepare($sql);
$stmt->bindParam(':search', $query);
$stmt->execute();
$done = $stmt->fetch();
var_dump($done[0]);
}
Below is the search php my form calls as an action
<?php
// Start our connecting to our database
require('class-database-functions.php');
$database = new Database_Functions();
// Get the search value passed through $_GET
$search_query = $_GET['query'];
$search = $database->search($search_query);
?>
Try this
$sql = "SELECT * FROM `Sweets` WHERE `Description` LIKE ?";
$stmt = $this->connection->prepare($sql);
$stmt->bindValue(1, "%$query%",PDO::PARAM_STR);
This question already has answers here:
MySQLi equivalent of mysql_result()?
(12 answers)
Closed 9 years ago.
I am trying to return the user's id number from the database but I can't figure out how to return the result of the query. I used to use mysql_result() so what would I need to do now that I'm using mysqli?
function user_id_from_username($username){
$query = mysqli_query($conn, "SELECT `user_id` FROM `users` WHERE `username` = '$username'");
return (what?);
}
You haven't reaped one of the main benefits of moving from mysql to mysqli, which is using prepared statements to parameterize your queries and protect yourself from injection.
$query = mysqli_prepare($conn, "SELECT user_id FROM `users` WHERE username = ?");
mysqli_stmt_bind_param($query, "s", $username);
mysqli_stmt_execute($query);
mysqli_stmt_bind_result($query, $userid);
mysqli_stmt_fetch($query);
//$userid is now user_id
check this http://php.net/manual/en/mysqli.query.php for myqli_query usage. and this http://www.php.net/manual/en/class.mysqli-result.php on how to get the values from the result.