This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
I know the connection works as i have used this to insert data into the tables but i cant seem to pull it out. Any help would be greatly appreciated.
//Gets id from url
$projectid = $_GET['id'];
try{
// DB CONNECTION
$link = $database->connection;
$link->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Query for projects
$q = ("SELECT * FROM projects WHERE id=':pid'");
$prep = $link->prepare($q);
$array = array(
':pid' => $projectid
);
$prep->execute($array);
}catch(PDOException $pde){
echo $pde->getMessage();
die();
}
//Method to retrieve results
while ($r = $prep->fetch()) {
echo $r['projectname'];
}
When you are using PDO with prepared statements, you don't need the single quotes around the pid term. PDO automatically inserts those for you. Just do:
$q = ("SELECT * FROM projects WHERE id = :pid");
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I've been stuck on this for about 3 days now and asked multiple people about this and no one seems to have an answer to me why this is not working. I cannot figure out why they aren't binding because the bindings work on the select statement but not the update. I know for a fact that $sessCheck['userid'] and $sessCheck['hwid'] are being set because I already printed them out to check if they were null or something.
The request inbound from slim
{"userid": "1000","hwid":"TESTING"}
The function
function updateHWID(){
$request = Slim::getInstance()->request();
//$bsreq = utf8_encode();
$sessCheck = json_decode($request->getBody(), true, 9 );
$db = getConnection();
$sql = "SELECT userid,hwID FROM accounts WHERE userid = :userid";
$stuff = $db->prepare($sql);
$stuff->bindParam("userid", $sessCheck['userid']);
$stuff->execute();
$db = null;
$rows = $stuff->fetch(PDO::FETCH_ASSOC);
if ($rows['hwID'] != $sessCheck['hwid']) {
$sql2 = "UPDATE accounts SET hwID=':hwid' WHERE userID = ':userid';";
try {
$db2 = getConnection();
$stmt = $db2->prepare($sql2);
//these two param's are not binding
$stmt->bindParam("userid", $sessCheck['userid']);
$stmt->bindParam("hwid", $sessCheck['hwid']);
$stmt->execute();
//$rt = $stmt->fetch(PDO::FETCH_ASSOC);
//$stmt->debugDumpParams();
} catch(PDOException $e) {
echo '{"error":{"text":'. $e->getMessage() .'}}';
}
}
}
This is the result incoming on the sql log
1372 Query UPDATE accounts SET hwID=':hwid' WHERE userID = ':userid'
I've also tried this as well as using the which also didn't work
$stmt->bindParam(":userid", $sessCheck['userid']);
$stmt->bindParam(":hwid", $sessCheck['hwid']);
Then I tried this too and it didn't work
$stmt = $db2->prepare("UPDATE accounts SET hwID='?' WHERE userID = '?';");
$stmt->bindParam(1, $sessCheck['hwid'], PDO::PARAM_STR);
$stmt->bindParam(2, $sessCheck['userid'], PDO::PARAM_INT);
Take the binded parameter names out of their single quotes.
so:
$sql2 = "UPDATE accounts SET hwID=:hwid WHERE userID = :userid;";
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 7 years ago.
I have no idea why this is not returning anything. I'll show the code and talk through the steps I've taken.
if (isset($_GET['observation'])) {
require_once("../func/connect.php");
$query = "SELECT * FROM observations WHERE option = ?";
$stmt = $db->prepare($query);
$stmt->bindValue(1, $_GET['observation']);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
echo $row['question'];
} else {
echo 'nope';
}
$row dumps a false boolean, $row['question'] is null.
I've wrote about a million queries and don't have a clue why this doesn't work.
Database table observations consists of id, question & option and the bindValue is correct to match a string in the database.
However, it returns null.
option is a reserved word in mysql so you need to quote it with backticks:
$query = "SELECT * FROM observations WHERE `option` = ?";
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
I currently use mysql_real_escape_string to escape variable in mysql query. I know how to use bindValue, but I have a question about protection when I'm trying to insert table name from variable. For example
$tablename = mysql_real_escape_string($name_from_form);
$get = mysql_query("SELECT * FROM ".$tablename." WHERE keyword='something'");
Can anybody help me with an example of how to do PDO prepared statements which will do the same as above?
You won't be able to escape the table name (I hope that $tablename isn't coming from an outside source - If it is, you will need to whitelist what table names are allowed). In PDO, your code could look something like:
$allowedTables = array('posts', 'users');
if(!in_array($tablename, $allowedTables)){
throw new Exception('Invalid table name: ' . $tablename);
}
$keyword = 'something';
$stmt = $dbh->prepare("SELECT * FROM " . $tablename . " WHERE keyword = :keyword");
$stmt->bindParam(':keyword', $keyword);
$stmt->execute();
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Have a minor issue when updating records in MySQL using PDO. It fails to update when I use grammar so for an example, if I use: ' it fails me. I am using my prepare, but it's just the apostrophe that fails to work?
if($_POST['ourstory']) {
foreach($_POST['ourstory'] as $id => $ourstory) {
$sql = "UPDATE our_story SET content = '$ourstory' WHERE id = '$id'";
$q = $db->prepare($sql);
$q->execute(array($id,$ourstory));
}
}
That's not how you use prepared statements. You want to use a ? in your query.
$sql = "UPDATE our_story SET content = ? WHERE id = ?";
$q = $db->prepare($sql);
$q->execute(array($ourstory, $id));
This question already has answers here:
Table name as parameter using PDO/MySQL prepared statement [duplicate]
(2 answers)
Closed 8 years ago.
$dbh = new PDO('mysql:host=' . $_POST['db_host'], $_POST['db_user'], $_POST['db_user_password']);
$sql = 'CREATE DATABASE :db_name';
$sth = $dbh->prepare($sql);
$sth->bindParam(':db_name', $_POST['db_name']);
var_dump($sth->execute());
It's allways show false. But if directly specify db_name, like this:
$sql = 'CREATE DATABASE database';
$sth = $dbh->prepare($sql);
$sth->execute();
It will work. What I'm doing wrong?
You can only bind data (column values) in parametrized query, not column name and table name. Also, in your code you tried to parametrize connection initialization which I think not correct.
You can alternatively depend on white list of db names:
$databases = array('dbone', 'dbtwo');
then check
if(in_array($_POST['db_name'], $databases) ){
$dbname = $_POST['db_name'];
}