I am trying to execute the following sql from php using pdo: SELECT * FROM my_table WHERE name=?.
When I do this:
$sql = 'SELECT * FROM my__table WHERE name=?' ;
$stmt = $dbconn->prepare($sql);
$stmt->bindValue(1, $_POST['name'], PDO::PARAM_STR);
$stmt->execute();
I get an empty result set.
When I do this:
$sql = 'SELECT * FROM my__table WHERE name=\''.$_POST['name'].'\'' ;
$stmt = $dbconn->prepare($sql);
$stmt->execute();
I get the row that I need.
The column 'name' is a VARCHAR(32). This bug only happens with strings. When the bound parameter is an sql INTEGER everything works like it is supposed to.
I am using sqlite3, php 5.2.6 under Apache on Ubuntu.
Both of these should work:
Without using binding
$sql = "SELECT * FROM my__table WHERE name = ? " ;
$stmt = $dbconn->prepare($sql);
$stmt->execute(array($_POST['name']));
Using a named parameter
$sql = "SELECT * FROM my__table WHERE name = :name " ;
$stmt = $dbconn->prepare($sql);
$stmt->bindParam(':name', $_POST['name'], PDO::PARAM_STR);
$stmt->execute(array($_POST['name']));
What about this?
$sql = "SELECT * FROM my__table WHERE name='?'" ;
$stmt = $dbconn->prepare($sql);
$stmt->bindValue(1, $_POST['name'], PDO::PARAM_STR);
$stmt->execute();
Related
This is my code:
function getUsers($connection ,$username) {
$sql = "SELECT * FROM users where username = ?";
$stmt = $connection->prepare($sql);
$stmt->bindParam("s", $username, PDO::PARAM_STR);
return $stmt->fetchAll();
}
$voornaam = "dave";
$users = getUsers($connection, $voornaam);
print_r($users);
When I open my webpage, I get an empty Array.
I checked, and there is a user with the username "dave" in my database.
This should work, however, it doesn't...
Anyone knows what I did wrong?
Thanks in advance.
First is, you have to execute it before using fetchAll():
$stmt->execute();
$result = $stmt->fetchAll();
This is the correct way:
$stmt = $connection->prepare('SELECT * FROM users where username = :username');
$stmt->bindParam(':username', $username);
If you want to user ? it will determine the order of ? in bindParam, use it like this:
$sql = "SELECT * FROM users where username = ?";
$stmt = $connection->prepare($sql);
$stmt->bindParam(1, $username, PDO::PARAM_STR);
More example:
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < ? AND colour = ?');
$sth->bindParam(1, $calories, PDO::PARAM_INT);
$sth->bindParam(2, $colour, PDO::PARAM_STR, 12);
Instead of using
$stmt->bindParam("s", $username, PDO::PARAM_STR);
you need to use
$stmt->bindParam(1, $username, PDO::PARAM_STR);
Check this link for details https://www.php.net/manual/en/pdostatement.bindparam
You need to check this Example #2 Execute a prepared statement with question mark placeholders
This is the correct way
$sql = "SELECT * FROM users where username = ?";
$stmt = $conn->prepare($sql);
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->execute();
return $stmt->fetchAll();
I'm new to prepared statements. Sql query is working fine if i insert dummy data and it is working without binding the integer($id).
Where am i wrong?
sql = "UPDATE staff_type SET s_type=?, description=? WHERE s_type_id=?;";
$stmt = mysqli_stmt_init($conn);
mysqli_stmt_prepare($stmt, $sql));
mysqli_stmt_bind_param($stmt, "ssi", $type, $desc, $id);
mysqli_stmt_execute($stmt);
I found the error which cause the integer parameter to not bind. I didn't know that disabled input fields cannot post data, therefore i found a solution to replace the 'disabled' attribute with 'readonly'.
Before binding parameters you have to Prepare an SQL statement with parameters in it.
$sql = "UPDATE staff_type SET s_type=?, description=? WHERE s_type_id=?;";
$stmt = $conn->prepare($sql);
$stmt->bind_param("ssi", $type, $desc, $id);
$stmt->execute();
You have to Prepare Statement first
**Procedural style**
$stmt = mysqli_prepare($conn, "UPDATE staff_type SET s_type=?, description=? WHERE s_type_id=?");
mysqli_stmt_bind_param($stmt, "ssi", $type, $desc, $id);
mysqli_stmt_execute($stmt);
check http://php.net/manual/en/mysqli-stmt.bind-param.php
Try this
$sql= $con->prepare("update staff_type set s_type=?, description=? WHERE s_type_id = ?");
if ($result){
$sql->bind_param('ssi', $s_type, $desc, $s_type_id );
$sql->execute();
}
side note: s represents string while i represents integer
Hope this helps you
I want to execute the following mysql query:
SELECT * FROM `gc_users` WHERE `name` LIKE '%anyname%'
I tried this without success:
$stmt = $dbh->prepare("SELECT * FROM `gc_users` WHERE `name` LIKE :name");
$stmt->bindParam(':name', "%" . $name . "%");
$stmt->execute();
$stmt = $dbh->prepare("SELECT * FROM `gc_users` WHERE `name` LIKE '%:name%'");
$stmt->bindParam(':name', $name);
$stmt->execute();
So I ask you if it is possible to use the % wildcard with prepared statements.
/edit
Thank you. Its working with bindValue:
$stmt = $dbh->prepare("SELECT * FROM `gc_users` WHERE `name` LIKE :name");
$stmt->bindValue(':name', '%' . $name . '%');
$stmt->execute();
It can work with bind param too in following way:
$name = "%$name%";
$query = $dbh->prepare("SELECT * FROM `gc_users` WHERE `name` like :name");
$query->bindParam(':name', $name);
$query->execute();
This could be an alternative:
$className = '%' . $this->className . '%';
$query->bind_param('s', $className);
I am trying to sum the values from a column using mysqli prepared statement with the code below but is not working. Does anyone can help me pointing what I am doing wrong? Thanks!
$stmt2 = $mysqli->prepare("SELECT SUM(col) as total FROM tb_a WHERE user=?");
$stmt2->bind_param("s", $user);
$stmt2->execute();
$op_row = $stmt2->fetch_assoc();
echo $op_row['total'];
Give this a go:
$user = "Larry"; // example
$stmt = $mysqli->prepare("SELECT SUM(col) FROM tb_a WHERE user=?");
$stmt->bind_param("s", $user);
$stmt->execute();
$stmt->bind_result($total);
$stmt->fetch();
echo $total;
or
$user = "Robert"; // example
$stmt = $mysqli->prepare("SELECT SUM(col) FROM tb_a WHERE user=?");
$stmt->bind_param("s", $user);
$stmt->execute();
$stmt->bind_result($total);
while ($stmt->fetch()) {
echo $total;
}
Try this:
$stmt2 = $mysqli->prepare("SELECT SUM(col) as total FROM tb_a WHERE user=?");
$stmt2->bind_param("s", $user);
$stmt2->execute();
$res = $stmt2->get_result();
$row = $res->fetch_assoc();
The prepared statement object do not have a fetch_assoc() method so you should first use get_result() and the result of that has a fetch_assoc()
Try this
$conn = new mysqli;
$sum = "SELECT SUM(col) as total FROM tb_a WHERE user=?";
$stmt = $conn->prepare($sum);
$stmt->bind_param("s", $user);
$sum= $stmt->execute();
I want to use a single database connection with multiple queries but use prepare and bind_param. How can i do this? I cant find it in the documentation.
Edit: i want two completely different queries.
$db = getConnection();
$query = "INSERT INTO talks(title, body, topic) VALUES(?, ?, ?)";
$stmt = $db->prepare($query);
$stmt->bind_param('sss', $title , $body, $topic);
$stmt->execute();
$stmt->close();
$query = "SELECT * WHERE title=?";
$stmt = $db->prepare($query);
$stmt->bind_param("s", $title);
$stmt->execute();
$stmt->bind_result($i, $t, $b, $to);
$stmt->fetch();
$id = $i;
$stmt->close();
Its telling me that $stmt isnt an object on the second go around
Just prepare a second query, as you did with the first.
$conn = new mysqli(....);
$stmt = $conn->prepare(....);
//Do stuff with $stmt
$stmt = $conn->prepare(...different...); //$stmt is overridden with the new query.
//Do stuff with the new $stmt.