tags:

views:

165

answers:

5
Q: 

How to use prepared statements in this query?

I'm new to PHP and PDO, and I try to use prepared statements here. After 1 hour of trying around I give up. Or my tutorial was just horribly bad.

EDIT:

This works perfectly without prepared statements:

try {
    $dbh = new PDO('mysql:host=localhost;dbname=test', 'root', 'root');
    $prepared = $dbh->prepare('SELECT * from sys_navigation_point WHERE name="root"');
    //$prepared->bindParam('foo', 'root');

    $prepared->execute();

    foreach($prepared as $row) {
        print_r($row);
    }
    $dbh = null;
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}

But this does not work at all with a prepared statement. Getting a totally blank page when doing this:

try {
    $dbh = new PDO('mysql:host=localhost;dbname=test', 'root', 'root');
    $prepared = $dbh->prepare('SELECT * from sys_navigation_point WHERE name=:foo');
    $prepared->bindParam('foo', 'root');

    $prepared->execute();

    foreach($prepared as $row) {
        print_r($row);
    }
    $dbh = null;
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}

foo should be replaced with root. However, it doesn't.

+1  A: 

http://www.php.net/manual/en/pdo.prepare.php A commenter there says that it doesn't work properly for keywords, table names, view names and field names So you'd need $prepared = $dbh->prepare('SELECT * from ' . $table);

As it only really works for column variables.

MindStalker  2009-12-22 13:52:23
I've updated my question with better examples. It doesn't work even for column variables.
openfrog  2009-12-22 14:11:47
+2  A: 

You can't use params for stuff like table and column names, it's meant to be used for values, to prevent SQL Injections in values.

This should work:

$prepared = $dbh->prepare('SELECT * from sy_navigation_point WHERE Foo=:whatever');
$prepared->bindParam('whatever', 'Bar');
Sander Rijken  2009-12-22 13:53:08
does not work: I get a blank page as soon as I do any param binding
openfrog  2009-12-22 14:06:32
I've updated my question with better examples. It doesn't work.
openfrog  2009-12-22 14:11:12
Doesn't work, yet the answer is accepted? What was the solution?
Sander Rijken  2009-12-22 16:11:09
Prepared Statements aren't for preventing SQL injections. They were invented to parse the SQL statement and build the execution plan once and then execute it multiple times using different values so one first sent the "raw" query and then, independently, all data. That this protects from SQL injection is a side-effect but not the intention.(Especially as it doesn't work in all areas, like dynamic field names etc.)
johannes  2009-12-22 23:11:11
A: 

You cannot bind a table in a MySQL prepared statement, you can only bind values. From the manual:

However, they are not allowed for identifiers (such as table or column names), or to specify both operands of a binary operator such as the = equal sign.

Victor Nicollet  2009-12-22 13:59:16
+1  A: 

Your bindParam's second parameter has to be a variable, otherwise you'll get a fatal error. So, 

$value='root';
$prepared->bindParam('foo', $value);

or:

$prepared->bindValue('foo', 'root');


It's easy to figure out when error messages are displayed:

if ($in_development) ERROR_REPORTING(E_ALL);
// ... code
Derek Illchuk  2009-12-22 14:28:17
+1  A: 

Try using the colon in the name, too while binding:

$prepared->bindParam(':foo', 'root');

As it is done in the docs: http://php.net/manual/en/pdostatement.bindparam.php

johannes  2009-12-22 14:49:00

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases