For some unknown reason my code doesn't seem to be working. I have checked all over google, but no one else seems to have the same problem. Could it be a bug with PHP?
The error I get:
Warning: mysqli_stmt::bind_param() [mysqli-stmt.bind-param]: Number of variables doesn't match number of parameters in prepared statement in /home/a9684274/public_html/system/db.php on line 102
The Code:
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username='?'")
$name = "Vilsol";
$stmt->bind_param("s", $name);
Thanks in advance!
Remove the single quotes ':
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username=?")
In your code they will just be interpreted as a string value and not as a parametrizable value.
Related
$queryString = 'SELECT * FROM n8593370.items AND Suburb = :suburb AND Name LIKE \'%:name%\'';
$stmt = $pdo->prepare($queryString);
$stmt->bindValue(':suburb', $suburb);
$stmt->bindValue(':name', $name);
$stmt->execute();
$results = $stmt->fetchAll();
I am getting the above mentioned error can not for the life of my figure out why.
I am certain I only have 2 variables to bind and that I indeed bind both.
When I perform this with each conditional on their own i.e. WHERE 1 = 1 AND Suburb = :suburb or WHERE 1 = 1 AND Name LIKE \'%:name%\' I do not have any errors.
ALTHOUGH the latter of the two conditionals does not return any results, however when I test it in MySQL Workbench it works as I expect it.
Can anybody shed some light on the issue?
When using placeholder values it's important to leave any and all escaping out of the query. The value itself should be bare, PDO will take care of the escaping for you if you're disciplined about using placeholder values.
Specify it this way:
"...name LIKE :name..."
Then you bind this way:
$stmt->bindValue(':name', "%$name%");
Below is my code, I am not able to resolve this error. Any help is appreciated. I am trying to update a table in my database.
public function updateUnit($params){
$user = 'monil';
$password = 'Masters123';
$dbh = new \PDO('mysql:host=127.0.0.1;dbname=tcsdb', $user, $password);
$task=array(':UnitCode'=>$params['UnitCode'],':UnitDescription'=>$params['UnitDescription'] ,
':UnitName'=>$params['UnitName'], ':UnitID'=>$params['UnitID']);
echo $params['UnitID'];
$sth = $dbh->prepare('UPDATE unit SET UnitCode = :UnitCode,'
. 'UnitDescription = :UnitDescription,UnitName = :UnitName WHERE UnitId=:UnitId');
$sth->execute($task);
return true;
}
Parameter names used in execute()/binding should be exact match for the parameter names used in the SQL query. That's the point of named parameters.
You need to check every placeholder in SQL, whether its name matches the name used in execute(), bindParam() or bindValue().
In your case, :UnitID is not the same as :UnitId, there is a difference in the letter case.
In a rare case, the error can be caused by improper placeholder name. The only characters allowed are [a-zA-Z0-9_].
The same error arise when you missed : colon while creating statement.
ex:
Below statement throws invalid parameter error as password in VALUES is missing : colon.
$stmt = $db->prepare('INSERT INTO members (username,password) VALUES (:username, password)');
same errors may occur if you use a "." dot in bindParam
ex.
$query = "select * from t where t1 = :foo.bar";
$stmt = $pdo->prepare($query);
$stmt->execute([':foo.bar' => 'blah']);
I've consulted this question for this problem, but couldn't seem to see the answer.
I have a prepared statement with a ? placeholder for a param I'm binding. Problem is, MySQL doesn't seem to like this because it's inside a REGEX block, like so:
$sql = 'SELECT id FROM teams WHERE name REGEXP "^(?)"';
$stmt = $db->prepare($sql);
$stmt->bind_param('s', implode('|', $letters));
This throws:
"Got error 'repetition-operator operand invalid' from regexp"
Is there a way of escaping the ? or something?
[EDIT]
Based on the comment below, I tried:
$sql = 'SELECT id FROM teams WHERE name REGEXP "^(:letters)"';
$stmt = $db->prepare($sql);
$stmt->bind_param(':letters', implode('|', $letters));
Now I get the error
"Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables"
Interestingly, I note I'm using bind_param() but the PHP docs say bindParam(). For me, the latter is an undefined method.
I'm having some difficulty with implementing fulltext() searching into my queries. Now the parameters in the AGAINST() segment won't invoke an error - unless they're wrapped in single-quotes.
Error: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens
Which makes sense as they shouldn't be literals, instead, they should be strings, so the values aren't be bound, right? But in order for this query to function the parameters in AGAINST() must be surrounded by single quotes.
MATCH(features) AGAINST(':feature_set :feature_unset')
$bind_array[":feature_set"] = $feature_set;
$bind_array[":feature_unset"] = $feature_unset;
$stmt = $conn->prepare($query);
$stmt->execute($bind_array);
:feature_set :feature_unset
Would return a string formatted like so:
+Softaculous -Free Domain -Site Builder -Fantastico
Does anyone know of a solution for this? Much appreciated, thanks!
Try it this way
$query = '... MATCH(features) AGAINST(:against IN BOOLEAN MODE)';
$bind_array[":against"] = $feature_set . ' ' . $feature_unset;
$stmt = $conn->prepare($query);
$stmt->execute($bind_array);
Here is SQLFiddle demo.
I have been coding for a few hours on this thing, so I think I am missing something very simple here, but I can't seem to find it.
I am getting these 2 errors
Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens on line 77
Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens on line 79
public function resetPassword($password, $email){
$rst = $this->db->prepare("insert into users (password) values (?) where email=? ");
$rst->bindParam('?', $password);
$rst->bindParam('?', $email);
$rst->execute();
if($rst->execute()){
return "Password changed!";
}
else echo "Could not change password.";
}
Am I forgetting something?
When using questions marks as placeholders, you send an array to the execute method, like so: $rst->execute(array('placeholder1value', 'placeohlder2value'));
However, if you want to use named placeholders, you would bindParam/bindValue them, like so:
$stmt = $pdo->prepare('INSERT INTO table (key1, key2) VALUES (:key1, :key2)');
$stmt->bindValue(':key1', 'somevalue', PDO::PARAM_STR);
$stmt->bindValue(':key1', 3532, PDO::PARAM_INT);
$stmt->execute();
Please read about the difference between bindParam and bindValue
And another note, your SQL query doesn't make sense, do you mean to do an UPDATE?