This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Get query back from PDO prepared statement
Exists any method to show, the query executed sql query in PDO Statement object?
Ex:
$sql="SELECT * FROM table WHERE id=?";
$res=$con->prepare($sql);
$res->execute(array(1));
I like to view a query similar this: "SELECT * FROM table WHERE id=1"
$res->queryString should contain what you need. You can check out the documentation here.
Related
This question already has answers here:
How to echo a MySQLi prepared statement?
(6 answers)
Closed 5 years ago.
Is there any function that will return the prepared query string after processing all the parameters. like
$stmt = $conn->prepare("SELECT full_name FROM user_info where user_id = ?");
$stmt->bind_param("s", $user_id);
Can I see the final query string that will execute?
If the driver is capable of using prepared statements, if it doesn't require emulation, then the final query executed is the prepared statement.
If you want to find out what was executed, you need to turn on the general query log on your server. That can be very, very noisy and fill up your disk quickly on a busy server.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
If you use htmlspecialchars() when receiving input from the user, like:
$email = htmlspecialchars($_POST['email']);
Should you use a prepared statement if the query is just a SELECT one?
You should always use prepared statements. Here's an exemple:
if user inputs the following:
"105 or 1=1"
The htmlspecialchars() function won't do anything to it.
The query would look like:
SELECT * FROM Users WHERE UserId = 105 or 1=1
See this doc
This question already has answers here:
Can PHP PDO Statements accept the table or column name as parameter?
(8 answers)
Closed 9 years ago.
Problem
I get a PDO syntax error when running a PDO statement where the table name is parametrized, like in
$sql = 'DELETE FROM :table_name';
$query = $this->db->prepare($sql);
$query->execute(array(':table_name' => "mytable"));
I could reproduce the problem with SELECT etc., so it's a general issue.
I tried to write it with backticks, with database name in front of it, a combination of both etc, nothing works.
Question
How to do this ?
You cannot parameterize table names, column names, or anything in an IN clause (it'll have to be bound separately). See this comment on php.net.
See also: Can PHP PDO Statements accept the table or column name as parameter?
You can't parameteterize table name with PDO and MySQLi prepared statements, because SQL server needs basic information to prepare the query before executing actual query.
This question already has answers here:
How can I bind an array of strings with a mysqli prepared statement?
(7 answers)
Use an array in a mysqli prepared statement: `WHERE .. IN(..)` query [duplicate]
(8 answers)
Closed 11 months ago.
I have an array of category ids and want to retrieve articles from my mysql database with these category ids. What is the best method for this?
mysql_query('SELECT * FROM articles WHERE category_id IN (\''.implode('\'',array_map('mysql_real_escape_string',$categories)).'\')');
Specify how articles are joined to categories if this is not how your db/table setup.
Look here:
I have an array of integers, how do I use each one in a mysql query (in php)?
for a safe, parameter-based approach and code sample.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
PDO Prepared Statements
I'm using the mysqli extension in PHP and I'm wondering, is there possibly any way to see a prepared query as it will be executed on the server, e.g. The query is something like this
select * from table1 where id = ? and name = ?
but I want to see the query after the values are filled in, like this:
select * from table1 where id = 20 and name = "John"
Turn on mysql query logging and it will log all queries to a text file for you to review.
Duplicate of PDO Prepared Statements
Short answer: no. A prepared query will never be converted to the query you expect. It's executed directly by the database server. You can use mysql's query log or PDO's undocumented function debugDumpParams, but both are just approximations.
See it where?
If it's your code you have the query and you have the prepared parameters, log them separately or replace in the original query string.
If the binding will fail you will get an error, otherwise you should expect the same values to be "filled" in as you specified them.
Its the way most of the times I am debugging mysql quires:
$q = "select * from table1 where id = ".$id." and name = ".$name;
echo $q;
The output generates all variables assigned to the query.
Hope I understood you exactly, what you wanted.