php pdo: bindValue or BindParam doesn't modify the prepared statement.

Question

Hello. Using latest php in order to create a function that adds a row to table user.

class targil_db {

    private $_pdo;

    public function __construct() {
        // username: root password: <blank> database: targil
        $this->_pdo = new PDO(
                    'mysql:host=127.0.0.1;dbname=targil',
                    'root',
                    ''
                    );
    }

function addUser($username, $password) {

    $md5password = md5($password);
    $sql = <<<SQL
        "INSERT INTO user (username,password) VALUES (:username,:password)"
SQL;

    $stmt = $this->_pdo->prepare($sql);
    $stmt->bindValue(':username', $username,PDO::PARAM_STR);
    $stmt->bindValue(':password', $password,PDO::PARAM_STR);
    $stmt->execute();
}

}

when i execute the addUser function, this is the query that i see executed on the mysql log file:

INSERT INTO user (username,password) VALUES (:username,:password)

as you can see it did not replace the :varname into the proper value. what am i missing ?

I tried both bindValue and bindParam but i got the same results.

thanks

update

even when i change :username and :password to ?,? and i use bindValue(1,$username) and bindValue(2,$password) i get the same results. the query that get executed actually still has ?,? in it instead of the actual variables.

Answer 1

This:

 $sql = <<<SQL
    "INSERT INTO user (username,password) VALUES (:username,:password)"
SQL;

should be:

$sql = <<<SQL
    INSERT INTO user (username,password) VALUES (:username,:password)
SQL;

I needed to remove the double quotes, i already used <<<SQL to start the string and SQL; to stop it.