My php script that calls a Microsoft SQL Stored Procedure escapes the & (ampersand) symbol (in the database I get & instead of &). Unfortunately I need the plain symbol (not the html entity or anything else). I have tried to work around it but I couldn't get it. I have used both PDO and SQLSRV methods. Does someone knows anyway around this? Thanks a lot.
SQLSRV:
$tsql_callSP = "{call MyStoredProcedure( ?, ?)}";
$values = array(
array($ID, SQLSRV_PARAM_IN),
array($Email, SQLSRV_PARAM_IN)
);
$stmt = sqlsrv_query( $conn, $tsql_callSP, $values);
sqlsrv_execute($stmt);
PDO:
$tsq = "EXECUTE MyStoredProcedure ?,?";
try
{
$stmt = $dbh->prepare($tsq);
$stmt->bindParam(1, $ID, PDO::PARAM_INT);
$stmt->bindParam(2, $Email, PDO::PARAM_STR);
$stmt->execute();
}
Related
Does anyone knows is there a function/statement that mix integer and string together at the end of bindParam PDO::PARAM_ ..here is an example:
$stmt = $dbc->prepare("INSERT INTO names (user_name, user_pass) VALUES (?, ?))";
$stmt->bindParam(1, $name, PDO::PARAM_STR);
$stmt->bindParam(2, $pass, PDO:: ????);
As you see its for the password. And as you know some people use a mixed password with numbers and alphabetics.
I'm trying to update data in a table with a BIT type value in it, like the following :
// $show_contact is either '1' or '0'
$query->bindValue(':scontact', $show_contact, PDO::PARAM_INT);
The problem is, it never changes the value, it remains '1' as set on PHPMyAdmin. I tried different PDO::PARAM_ types without success, everything else is working.
edit full script
$sql = "UPDATE users SET password = :password, address = :address, postal = :postal, city = :city, contact = :contact, show_contact = :scontact WHERE id = :id";
$query = $dbh->prepare($sql);
$query->bindValue(':id', $user->id, PDO::PARAM_INT);
$query->bindValue(':password', md5($password), PDO::PARAM_STR);
$query->bindValue(':address', $address, PDO::PARAM_STR);
$query->bindValue(':postal', $postal, PDO::PARAM_STR);
$query->bindValue(':city', $city, PDO::PARAM_STR);
$query->bindValue(':contact', $contact, PDO::PARAM_STR);
$query->bindValue(':scontact', $show_contact, PDO::PARAM_INT);
$query->execute();
PDO has a bit of a bug where any parameter passed to a query, even when specifically given as PDO::PARAM_INT is treated as a string and enclosed with quotes. READ THIS
The only way to tackle it is to try the following:
$show_contact = (int)$show_contact;
$query->bindValue(':scontact', $show_contact, PDO::PARAM_INT);
I believe that the BIT type is mapped to PDO's PARAM_BOOL. Try using it with strictly boolean input.
$show_contact = (bool) $show_contact; // '0' => FALSE, '1' => TRUE
$query->bindValue(':scontact', $show_contact, PDO::PARAM_BOOL);
I want to use a single database connection with multiple queries but use prepare and bind_param. How can i do this? I cant find it in the documentation.
Edit: i want two completely different queries.
$db = getConnection();
$query = "INSERT INTO talks(title, body, topic) VALUES(?, ?, ?)";
$stmt = $db->prepare($query);
$stmt->bind_param('sss', $title , $body, $topic);
$stmt->execute();
$stmt->close();
$query = "SELECT * WHERE title=?";
$stmt = $db->prepare($query);
$stmt->bind_param("s", $title);
$stmt->execute();
$stmt->bind_result($i, $t, $b, $to);
$stmt->fetch();
$id = $i;
$stmt->close();
Its telling me that $stmt isnt an object on the second go around
Just prepare a second query, as you did with the first.
$conn = new mysqli(....);
$stmt = $conn->prepare(....);
//Do stuff with $stmt
$stmt = $conn->prepare(...different...); //$stmt is overridden with the new query.
//Do stuff with the new $stmt.
I'm moving from MYSQL to PDO. I read the PDO official documentation, but I cannot find the fail on the code.
$name = 'fooUser';
$stmt = $PDO->prepare('SELECT * FROM users WHERE username=:name');
$stmt->bindParam(':name', $name, PDO::PARAM_INT );
$stmt->execute();
This query return me the affected rows, and it shouldn't happen.
Change
$stmt->bindParam(':name', $name, PDO::PARAM_INT );
To
$stmt->bindParam(':name', $name, PDO::PARAM_STR );
you are setting the wrong kind of input!
So this is my current code:
function addPage($uniquename, $ordernum, $title, $author, $content, $privilege, $description=NULL, $keywords=NULL){
if (!$description) $description = NULL;
if (!$keywords) $keywords = NULL;
//UPDATE `table` SET `ordernum` = `ordernum` + 1 WHERE `ordernum` >= 2
$query = "UPDATE ".$this->prefix."page SET ordernum = ordernum+1 WHERE ordernum >= ?";
if ($stmt = $this->db->prepare($query)){
$stmt->bind_param("i", $ordernum);
$stmt->execute();
if (!arCheck($stmt)) return false;
} else {
$this->stmtError("addPage", $stmt->error);
}
$query = "INSERT INTO ".$this->prefix."page VALUES (LCASE(?), ?, ?, ?, ?, ?, ?, ?)";
if ($stmt = $this->db->prepare($query)){
$stmt->bind_param("sisisssi", $uniquename, $ordernum, $title, $author, $content, $description, $keywords, $privilege);
$stmt->execute();
return arCheck($stmt);
} else {
$this->stmtError("addPage", $stmt->error);
}
}
It is suppose to add a new page to the datatable. The MySQL is courtesy of Phil Hunt from Store the order of something in MySQL
I know that you can use multiquery to accomplish the same thing, however I was told that prepared statement is better in performance, and security. Is there another way to do this? Like a prepared multi query?
Also, what about doing Transactions? I'm not fully sure of what that is, I assume that it's if, let's say, the INSERT statement fails, it will undo the UPDATE statement as well?
NOTE: the arCheck function will close the statement.
Prepared statements are indeed faster for repeated queries, at least in most cases. They're also safer because they automatically escape input values, preventing SQL injection attacks. If you want to use them in PHP you'll need the MySQLi extension.
You appear to have the right idea about transactions. With MySQLi there are commit and rollback methods, otherwise you can use mysql_query("COMMIT") or mysql_query("ROLLBACK").