I've consulted this question for this problem, but couldn't seem to see the answer.
I have a prepared statement with a ? placeholder for a param I'm binding. Problem is, MySQL doesn't seem to like this because it's inside a REGEX block, like so:
$sql = 'SELECT id FROM teams WHERE name REGEXP "^(?)"';
$stmt = $db->prepare($sql);
$stmt->bind_param('s', implode('|', $letters));
This throws:
"Got error 'repetition-operator operand invalid' from regexp"
Is there a way of escaping the ? or something?
[EDIT]
Based on the comment below, I tried:
$sql = 'SELECT id FROM teams WHERE name REGEXP "^(:letters)"';
$stmt = $db->prepare($sql);
$stmt->bind_param(':letters', implode('|', $letters));
Now I get the error
"Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables"
Interestingly, I note I'm using bind_param() but the PHP docs say bindParam(). For me, the latter is an undefined method.
Related
I have this query that without the inner join it works:
$sql = 'SELECT prodotti.nome, prodotti.prezzo, prodotti.sku, prodotti.produttore, fornitori.nome
FROM prodotti INNER JOIN fornitori
ON prodotti.fornitori_id = fornitori.id
WHERE prodotti.id = :prodotti.id';
$id = 1; // for example
// $this->db-> (is connection)
$stmt = $this->db->prepare($sql);
$stmt->bindParam(':prodotti.id', $id, PDO::PARAM_INT);
$stmt->execute();
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
$prodlist[$id] = $results;
var_dump($prodlist);
If I run it I get this error:
Fatal error: Uncaught PDOException: SQLSTATE [HY093]: Invalid parameter number: parameter was not defined in ........
It seems that the error lies is in the WHERE and in a particular way, reading online, I discovered that it could be a problem to do this: WHERE prodotti.id = prodotti.id;
suggest to do for example: WHERE prodotti.id =: id '; and then in the bindparam the same thing $stmt->bindParam(': id', $ id, PDO :: PARAM_INT);
in fact, doing so works halfway, in the sense that it gives me back the data called the first 'products' table ignoring the second 'suppliers'.
Can anyone tell me where am I wrong? Thanks
if I run this query on the SQL section of DB it works.
SELECT prodotti.nome, prodotti.prezzo, prodotti.sku, prodotti.produttore, fornitori.nome
FROM prodotti INNER JOIN fornitori
ON prodotti.fornitori_id = fornitori.id
WHERE prodotti.id = 1
as some users have pointed out to me elsewhere, and in fact it partially solves the problem, the point cannot be used in the binding, as reported in the guide at this link:
https://phpdelusions.net/pdo
"Note that PDO supports positional (?) and named (:email) placeholders, the latter always begins from a colon and can be written using letters, digits and underscores only. Also note that no quotes have to be ever used around placeholders."
now it works correctly! Thanks
$queryString = 'SELECT * FROM n8593370.items AND Suburb = :suburb AND Name LIKE \'%:name%\'';
$stmt = $pdo->prepare($queryString);
$stmt->bindValue(':suburb', $suburb);
$stmt->bindValue(':name', $name);
$stmt->execute();
$results = $stmt->fetchAll();
I am getting the above mentioned error can not for the life of my figure out why.
I am certain I only have 2 variables to bind and that I indeed bind both.
When I perform this with each conditional on their own i.e. WHERE 1 = 1 AND Suburb = :suburb or WHERE 1 = 1 AND Name LIKE \'%:name%\' I do not have any errors.
ALTHOUGH the latter of the two conditionals does not return any results, however when I test it in MySQL Workbench it works as I expect it.
Can anybody shed some light on the issue?
When using placeholder values it's important to leave any and all escaping out of the query. The value itself should be bare, PDO will take care of the escaping for you if you're disciplined about using placeholder values.
Specify it this way:
"...name LIKE :name..."
Then you bind this way:
$stmt->bindValue(':name', "%$name%");
Below is my code, I am not able to resolve this error. Any help is appreciated. I am trying to update a table in my database.
public function updateUnit($params){
$user = 'monil';
$password = 'Masters123';
$dbh = new \PDO('mysql:host=127.0.0.1;dbname=tcsdb', $user, $password);
$task=array(':UnitCode'=>$params['UnitCode'],':UnitDescription'=>$params['UnitDescription'] ,
':UnitName'=>$params['UnitName'], ':UnitID'=>$params['UnitID']);
echo $params['UnitID'];
$sth = $dbh->prepare('UPDATE unit SET UnitCode = :UnitCode,'
. 'UnitDescription = :UnitDescription,UnitName = :UnitName WHERE UnitId=:UnitId');
$sth->execute($task);
return true;
}
Parameter names used in execute()/binding should be exact match for the parameter names used in the SQL query. That's the point of named parameters.
You need to check every placeholder in SQL, whether its name matches the name used in execute(), bindParam() or bindValue().
In your case, :UnitID is not the same as :UnitId, there is a difference in the letter case.
In a rare case, the error can be caused by improper placeholder name. The only characters allowed are [a-zA-Z0-9_].
The same error arise when you missed : colon while creating statement.
ex:
Below statement throws invalid parameter error as password in VALUES is missing : colon.
$stmt = $db->prepare('INSERT INTO members (username,password) VALUES (:username, password)');
same errors may occur if you use a "." dot in bindParam
ex.
$query = "select * from t where t1 = :foo.bar";
$stmt = $pdo->prepare($query);
$stmt->execute([':foo.bar' => 'blah']);
I'm having some difficulty with implementing fulltext() searching into my queries. Now the parameters in the AGAINST() segment won't invoke an error - unless they're wrapped in single-quotes.
Error: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens
Which makes sense as they shouldn't be literals, instead, they should be strings, so the values aren't be bound, right? But in order for this query to function the parameters in AGAINST() must be surrounded by single quotes.
MATCH(features) AGAINST(':feature_set :feature_unset')
$bind_array[":feature_set"] = $feature_set;
$bind_array[":feature_unset"] = $feature_unset;
$stmt = $conn->prepare($query);
$stmt->execute($bind_array);
:feature_set :feature_unset
Would return a string formatted like so:
+Softaculous -Free Domain -Site Builder -Fantastico
Does anyone know of a solution for this? Much appreciated, thanks!
Try it this way
$query = '... MATCH(features) AGAINST(:against IN BOOLEAN MODE)';
$bind_array[":against"] = $feature_set . ' ' . $feature_unset;
$stmt = $conn->prepare($query);
$stmt->execute($bind_array);
Here is SQLFiddle demo.
For some unknown reason my code doesn't seem to be working. I have checked all over google, but no one else seems to have the same problem. Could it be a bug with PHP?
The error I get:
Warning: mysqli_stmt::bind_param() [mysqli-stmt.bind-param]: Number of variables doesn't match number of parameters in prepared statement in /home/a9684274/public_html/system/db.php on line 102
The Code:
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username='?'")
$name = "Vilsol";
$stmt->bind_param("s", $name);
Thanks in advance!
Remove the single quotes ':
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username=?")
In your code they will just be interpreted as a string value and not as a parametrizable value.