Following problem:
If I want to search with 'Last Name' it works but if it is a variable in this form $results['22']['BuyerName2']
Here is what I got so far:
$rr=$results[22]['BuyerName2'];
echo $rr; //echos Last Name
$stmt = $db->prepare("Update base_1 SET UpdateStatus=2 WHERE BuyerName LIKE ?");
$stmt->bindValue(1, "%$rr%", PDO::PARAM_STR);
$stmt->execute();
If I put instead $rr the Name directly in the bind value part it works. But not with $rr.
Maybe there are extra spaces in $rr. Try:
$rr = trim($results[22]['BuyerName2']);
In the line:
$stmt->bindValue(1, "%$rr%", PDO::PARAM_STR);
I am unsure whether the $ becomes escaped or not in the string you binded. As far as I know, only the underscore and the percent sign stay unescaped. I would suggest to try:
$rr = "%".$rr."%";
and edit the line to:
$stmt->bindValue(1, $rr, PDO::PARAM_STR);
Related
I've got an issue regarding my UPDATE statement. When I want to update a column, it just doesn't let me to do that.
I tried to use a binded value for updating the column, I expected for it to change it but it didnt do that.
I wanted it to update the column which was the thing that I expected, but it didnt work.
Here's the code that I am struggling with:
$updatecolor = $conn->prepare("UPDATE avatar SET :part=:color WHERE user_id=:id");
$updatecolor->bindParam(':part', $part, PDO::PARAM_STR);
$updatecolor->bindParam(':color', $color, PDO::PARAM_STR);
$updatecolor->bindParam(':id', $myu->id, PDO::PARAM_INT);
$updatecolor->execute();
You can't bind param the name of a column. Perhaps use if statements to do this correctly.
if($part == "soandso"){
$updatecolor = $conn->prepare("UPDATE avatar SET soandso=:color WHERE
user_id=:id");
$updatecolor->bindParam(':color', $color, PDO::PARAM_STR);
$updatecolor->bindParam(':id', $myu->id, PDO::PARAM_INT);
$updatecolor->execute();
} elseif($part == "soandso2"){
// you get the idea
I just want to know if these 2 sets of code are doing the same thing or not, if not what's the difference?
$connect= new CONNECT();
$sql = ("query here");
$stmt = $connect->runQuery($sql);
$stmt->bindParam(':sample', $_POST['sample'], PDO::PARAM_STR);
$stmt->bindParam(':sample2', $_POST['sample2'], PDO::PARAM_STR);
$stmt->bindParam(':sample3', $_POST['sample3'], PDO::PARAM_STR);
$stmt->execute();
=======================AND========================
$connect= new CONNECT();
$sql = ("query here");
$stmt = $connect->runQuery($sql);
$stmt->execute(Array(
':sample1' => $_POST['sample'],
':sample2' => $_POST['sample2'],
':sample3' => $_POST['sample3']
));
FYI, both work perfectly, just wanting to know if I'm getting the full security benefit using either one. Thanks.
By passing the parameters along with the $stmt->execute() method, all values in the array with be passed, as PDO::PARAM_STR to the statement with the $stmt->bindParam() function.
And with the $stmt->bindParam() function, you can define the data type passed along, using the PDO::PARAM_*
Read more about PDO::PARAM_
Good evening to everyone,
Sorry if my question apperes sily but I'm pazzled by my very trivial problem
In one of the pages of my project I can't concatenate a string containing ' signs
this string can't be concatenated:
$stidR = "INSERT INTO rec_ret_info VALUES('".$rrcode."', ".$modnum.", '".$sdate."', '".$venue."', ".$fac.", ".$date.", ".$sem.")";
but this can:
$stidR = "INSERT INTO rec_ret_info VALUES(".$rrcode.", ".$modnum.", ".$sdate.", ".$venue.", ".$fac.", ".$date.", ".$sem.")";
Apparently if I remove ' signs it works. But i really need them. I really don't know where is the problem. Would be gratefull if you can point me on it.
Can you use a prepared statement to bind a variable?
Connection to Oracle with PDO - More information!
Update
PDO Prepared Statement as an example. The only thing you need to change is the query structure if Oracle is different to MySql in that regard. The binding of variables and the execution will work the same :)
$queryString= "INSERT INTO tablename (ColumnName1,ColumnName2,ColumnName3,ColumnName4,ColumnName5,ColumnName6,ColumnName7) VALUES (?,?,?,?,?,?,?)";
$query = $db->prepare($queryString);
$query->bindValue(1, $variable1, PDO::PARAM_STR);
$query->bindValue(2, $variable2, PDO::PARAM_STR);
$query->bindValue(3, $variable3, PDO::PARAM_STR);
$query->bindValue(4, $variable4, PDO::PARAM_STR);
$query->bindValue(5, $variable5, PDO::PARAM_STR);
$query->bindValue(6, $variable6, PDO::PARAM_STR);
$query->bindValue(7, $variable7, PDO::PARAM_STR);
$query->execute();
simply make echo of your statement like
echo $stidR ; and check the resulting sql, and see what you are doing wrong
There's a [similar post][1], but without a solution.
The following code is resulting in a MySQL query containing the placeholder names:
$the_image_itself = "abcde123def.jpg";
$title = "A Book";
$description = "Something to Read";
$the_image_itself = "%".$the_image_itself;
$stmt = $db->prepare("UPDATE nky_posts SET `post_title`=:title, `post_content`=:description WHERE `guid` LIKE :the_image_itself");
$stmt->bindParam(':title', $title);
$stmt->bindParam(':description', $description);
$stmt->bindValue(':the_image_itself', $the_image_itself, PDO::PARAM_STR);
$stmt->execute();
$stmt->debugDumpParams();
echo "<hr/>";
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
$affected_rows = $stmt->rowCount();
The result looks like:
start SQL: [105] UPDATE nky_posts SET `post_title`=:title,
`post_content`=:description
WHERE `guid` LIKE :the_image_itself
Params: 3 Key:
Name: [6]
:title paramno=-1
name=[6] ":title"
is_param=1 param_type=2
Key: Name: [12] :description
paramno=-1 name=[12] ":description"
is_param=1 param_type=2
Key: Name: [17] :the_image_itself paramno=-1
name=[17] ":the_image_itself"
is_param=1 param_type=2
This is the object call:
try{
$db=new PDO('mysql:host=localhost;dbname=viewingr_ssdevwp; charset=utf8',$db_username,$db_password);
}
catch(PDOException $e){
echo 'Error connecting to MySQL!: '.$e->getMessage();
exit();
}
I don't know where you got the impression that debugDumpParams() will display the raw SQL query -- it will not. When using parameterized queries, you create a prepared statement at the database, and then send the parameter values alone. They are not sent together, meaning there's no way print the raw SQL query.
debugDumpParams() will only display the list of parameters, their names, types etc. but not their values. One thing you can do, however, is to inspect your MySQL query log to see the raw SQL query that was executed.
Once you've found the logs, you can use the following command to see the recently executed queries (provided you have SSH access):
$ sudo tail -f /usr/local/mysql/data/yourQueryLog.log
The above path is just an example. The actual path might be different on your system.
Well the "answer" is posted below, but the real answer is that I should have ceased banging my head against this problem and come back to it at a later date, which seems to be one of the most difficult things for me to do. At one point in my obsession I discovered a mysterious <br/> followed by some whitespaces in one of the placeholder values. I ended up doing substr($var, 0, -6) on the variable to remove the anomaly until noticing that I had inadvertently concatenated a <br/> to the end of the line that populated the variable; .<br/> - probably when deleting a line of output code for testing.
I was on the line with hostMonster tech support to try and get to MySQL logs because people say that that is the only place one can find out exactly WHAT MySQL is "seeing" when you use placeholders, but they don't log MySQL queries, because the file would be in the terrabytes.
At 3 or 4 am, I gave up.
Came back to it with a fresh head today and went through the following steps confirming each worked:
Create a simple SELECT statement without WHERE or placeholders:
$sql = "SELECT * FROM nky_posts";
Add a WHERE clause using "=" (not LIKE) with variable being something literal I know is in the DB:
$the_image = "image_url_from_phpMyAdmin";
$sql = "SELECT post_title FROM nky_posts WHERE guid = $the_image";
Substitute the literal variable with a single placeholder holding a known value:
$the_image = "image_url_from_phpMyAdmin";
$stmt->bindParam(':the_image', $the_image, PDO::PARAM_STR);
$sql = "SELECT post_title FROM nky_posts WHERE guid = :the_image";
Add the LIKE instead of = (remembering to concatenate placeholder variable with "%")
$the_image = "%" . $the_image . "%";
$stmt->bindParam(':the_image', $the_image, PDO::PARAM_STR);
$sql = "SELECT post_title FROM nky_posts WHERE guid LIKE :the_image_itself";
Replace the "known" variable with dynamic variable (from XML result in this case):
basename($oBookNode->getElementsByTagName('actual-link')->item(0)->nodeValue);
(Using basename() function to return just the image name from URL string in wordpress database)
Finally replace the SELECT statement with my UPDATE statement, adding two additional placeholders to hold the variables to be inserted. Final code:
$sql = "UPDATE nky_posts SET post_title=:title, post_content=:description WHERE guid LIKE :the_image";
$stmt = $db->prepare($sql);
//foreach loop begins here
foreach ($oDOM->getElementsByTagName('item') as $oBookNode)
{
$the_image = basename($oBookNode->getElementsByTagName('actual-link')->item(0)->nodeValue);
$title = $oBookNode->getElementsByTagName('title')->item(0)->nodeValue;
$description = $oBookNode->getElementsByTagName('actual-content')->item(0)->nodeValue;
//concat % to variable for LIKE clause (probably only needed first one in this case, but...)
$the_image = "%" . $the_image . "%";
$stmt->bindParam(':title', $title, PDO::PARAM_STR);
$stmt->bindParam(':description', $description, PDO::PARAM_STR);
$stmt->bindParam(':the_image_itself', $another_image_itself, PDO::PARAM_STR);
$stmt->execute();
//end foreach loop
}
Thanks for the help, everyone.
The output from the debugDumpParams function call looks right.
That debugDumpParams function doesn't display the values of the bind parameters; it only shows the SQL text along with the placeholder names/positions, and their respective datatypes.
I'm not sure I understood the question you asked.
There's no need to invoke the fetchAll method on stmt, since it is an UPDATE statement.
Note that for rowCount, MySQL returns the number of rows that were actually changed by the statement, not the number of rows matched. That is, if the values in the columns being set were already set to the specified value, then MySQL doesn't "count" that row as being affected.
I can't get this code to update my, mysql database.
$SQL = $odb -> prepare("UPDATE `LB` SET `running` = `running` + 1 WHERE `url`= :url");
$SQL -> execute(array(":url"=> $url ));
May someone please help, I have searched for this and couldn't find something like this.
Don't do :url in your array, there is no need for it.
You can also use a question mark in place of your =:url like so:
url=?
Then in your array, you can either place a direct value:
$SQL->execute(array($url));
Or you can bind values incrementally:
$SQL->bindValue(1, $url, PDO::PARAM_INT);
$SQL->execute();
Except, instead of using PDO::PARAM_INT, you would use your own parameters...
So I'm guessing in your instance you would use PDO::PARAM_STR
Hopefully this helps :)