This question already has answers here:
Table name as parameter using PDO/MySQL prepared statement [duplicate]
(2 answers)
Closed 8 years ago.
$dbh = new PDO('mysql:host=' . $_POST['db_host'], $_POST['db_user'], $_POST['db_user_password']);
$sql = 'CREATE DATABASE :db_name';
$sth = $dbh->prepare($sql);
$sth->bindParam(':db_name', $_POST['db_name']);
var_dump($sth->execute());
It's allways show false. But if directly specify db_name, like this:
$sql = 'CREATE DATABASE database';
$sth = $dbh->prepare($sql);
$sth->execute();
It will work. What I'm doing wrong?
You can only bind data (column values) in parametrized query, not column name and table name. Also, in your code you tried to parametrize connection initialization which I think not correct.
You can alternatively depend on white list of db names:
$databases = array('dbone', 'dbtwo');
then check
if(in_array($_POST['db_name'], $databases) ){
$dbname = $_POST['db_name'];
}
Related
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Can I use a PDO prepared statement to bind an identifier (a table or field name) or a syntax keyword?
(1 answer)
Closed 7 months ago.
My sql request doesn't work if I use a function paramater to choice the column.
My goal is to have one function for all request.
Thanks in advance.
$dbh = Connection::getPdo();
try {
$sth = $dbh->prepare('SELECT users_id, nom, prenom, password, role, email, users_login FROM users where ? = ? ');
$value="'".$value."'";
$sth->execute(array($parameter,$value));
$data = $sth->fetch(PDO::FETCH_ASSOC);
$user = new Users();
$user->setUserFromArray($data);
} catch (PDOException $e) {
die("ERROR: Could not able to execute query " . $e->getMessage());
}
return $user;
}
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 2 years ago.
I want to query one new to sql table, the code run but it doesn't insert anything into the database.
I try to read back the pdo manual but doesn't understand which part I am wrong.
$query = "INSERT INTO 'easycomputing'('STID', 'NAME', 'TONG') VALUES (:STID, :NAME, :TONG)";
$dns = " mysql:host=localhost;dbname=phan1";
$username="root";
$password= "";
// $password="";
try{
//access the database
$db = new PDO($dns, $username, $password);
//execute the query
$statement = $db->prepare($query);
$statement->bindValue(':STID', 137, PDO::PARAM_INT);
$statement->bindValue(':NAME', 'tenten', PDO::PARAM_STR);
$statement->bindValue(':TONG', 5, PDO::PARAM_INT);
//execute the query
if( $statement->execute() ){
echo "record tranfer successfully";
}else{
echo "fail to execute the record";
}
Sorry, but I think that you shouldn't isert the name of columns between codes : (STID, NAME, TONG)
This question already has answers here:
Reference - What does this error mean in PHP?
(38 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 2 years ago.
I'm trying to input multiple queries guys using mysqli. Yet it's not populating the database. Any ideas?
$q2="UPDATE ticketinfo SET ticketstatus = $status where ticketno = $ticket;
insert into ticketinfo (remarks) values ('$remarks')";
$ex2= mysqli_multi_query($conn,$q2);
SQL queries should be executed sequentially. Never use mysqli_multi_query() with variable input. You should be using parameterized prepared statements. There is hardly any use case for mysqli_multi_query() at all.
Your code should look like this:
// your mysqli connection
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli('localhost', 'username', 'password', 'dbname');
$mysqli->set_charset('utf8mb4'); // always set the charset
// First query
$stmt = $mysqli->prepare('UPDATE ticketinfo SET ticketstatus = ? WHERE ticketno = ?');
$stmt->bind_param('ss', $status, $ticket);
$stmt->execute();
// Second query
$stmt = $mysqli->prepare('INSERT INTO ticketinfo (remarks) VALUES (?)');
$stmt->bind_param('s', $remarks);
$stmt->execute();
I used two prepared statements and bound the input separately. This much better, cleaner and safer option than mysqli_multi_query().
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
I know the connection works as i have used this to insert data into the tables but i cant seem to pull it out. Any help would be greatly appreciated.
//Gets id from url
$projectid = $_GET['id'];
try{
// DB CONNECTION
$link = $database->connection;
$link->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Query for projects
$q = ("SELECT * FROM projects WHERE id=':pid'");
$prep = $link->prepare($q);
$array = array(
':pid' => $projectid
);
$prep->execute($array);
}catch(PDOException $pde){
echo $pde->getMessage();
die();
}
//Method to retrieve results
while ($r = $prep->fetch()) {
echo $r['projectname'];
}
When you are using PDO with prepared statements, you don't need the single quotes around the pid term. PDO automatically inserts those for you. Just do:
$q = ("SELECT * FROM projects WHERE id = :pid");
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
I currently use mysql_real_escape_string to escape variable in mysql query. I know how to use bindValue, but I have a question about protection when I'm trying to insert table name from variable. For example
$tablename = mysql_real_escape_string($name_from_form);
$get = mysql_query("SELECT * FROM ".$tablename." WHERE keyword='something'");
Can anybody help me with an example of how to do PDO prepared statements which will do the same as above?
You won't be able to escape the table name (I hope that $tablename isn't coming from an outside source - If it is, you will need to whitelist what table names are allowed). In PDO, your code could look something like:
$allowedTables = array('posts', 'users');
if(!in_array($tablename, $allowedTables)){
throw new Exception('Invalid table name: ' . $tablename);
}
$keyword = 'something';
$stmt = $dbh->prepare("SELECT * FROM " . $tablename . " WHERE keyword = :keyword");
$stmt->bindParam(':keyword', $keyword);
$stmt->execute();