tags:

views:

259

answers:

2
+2  Q: 

using prepared mysqli statements to bind parameters into the SELECT section of a query

I am building a web app that imports data from data feeds in php/mysql. I import the data into a buffer/temp holding table. As each data format is different I choose the column to select based on the particular source.

I am having trouble getting this query to work in this context :

$stmt = $this->dbObj->prepare("SELECT mk.PK_phone_maker, b.?, b.phoneDescription
            b.thumbPic,
        FROM buffer_table b left join mobile_phone pm on b.? = pm.phoneModel
            LEFT JOIN phone_maker mk on mk.CompanyName = b.?
        WHERE pm.phoneModel is null
        group by b.?");
$stmt->bind_param('ssss',$phoneModelField, $phoneModelField, $phnMakerField,$phoneModelField);
$stmt->execute();

I recieve the error msg:

Fatal error: Call to a member function bind_param() on a non-object

This refers to the line:

 $stmt->bind_param('ssss',$phoneModelField, $phoneModelField,

And I assume this is because the "prepare" on my sql hasnt worked as $stmt is not an object

As such it appears to me that you can not bind parameters to select columns and join fields, you can only bind to the where clause. Am I right in this assertion or am I missing something?

+1  A: 

Prepared statements only allow you to bind values, other constructs (such as fields, tables or functions, let alone whole bits of SQL) are not allowed.

Victor Nicollet  2010-01-26 10:56:41
A: 

@Victor Nicollet is correct -- you can use a query parameter only in a context where you could have used a literal value.

If you need to make other parts of your query variable (e.g. column name, table name, SQL keywords, or whole SQL expressions), you need to build a dynamic SQL query as a string, and interpolate PHP variables or expressions into the string. Be sure to do this carefully to avoid SQL injection vulnerabilities.

The other WTF in your code is that you didn't check that the prepare() function returned an object of type mysqli_stmt. In this case, because you used query parameters in an invalid way, prepare() returned false to indicate a syntax error. Of course false is not an object; it doesn't have a bind_param() method. That's why you got the error you did.

Bill Karwin  2010-01-27 01:49:41

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases