开发者

Parameter binding fails where concatenation works

问答 作者:

I am trying to execute the following sql from php using pdo: SELECT * FROM my_table WHERE name=?.

When I do this: 

$sql = 'SELECT * FROM my__table WHERE name=?' ;  
$stmt = $dbconn->prepare($sql);  
$stmt->bindValue(1, $_POST['name'], PDO::PARAM_STR);  
$stmt->execute();

I get an empty result set.

When I do this: 

$sql = 'SELECT * FROM my__table WHERE name=\''.$_POST['name'].'\'' ;  
$stmt = $dbconn->prepare($sql);  
$stmt->execute();

I get the row that I need.

The column 'name' is a VARCHAR(32). This bug only happens with strings. When th开发者_JAVA百科e bound parameter is an sql INTEGER everything works like it is supposed to.

I am using sqlite3, php 5.2.6 under Apache on Ubuntu.

Both of these should work:

Without using binding

$sql = "SELECT * FROM my__table WHERE name = ? " ;
$stmt = $dbconn->prepare($sql);
$stmt->execute(array($_POST['name']));

Using a named parameter

$sql = "SELECT * FROM my__table WHERE name = :name " ;
$stmt = $dbconn->prepare($sql);
$stmt->bindParam(':name', $_POST['name'], PDO::PARAM_STR);
$stmt->execute(array($_POST['name']));

What about this?

$sql = "SELECT * FROM my__table WHERE name='?'" ;  
$stmt = $dbconn->prepare($sql);  
$stmt->bindValue(1, $_POST['name'], PDO::PARAM_STR);  
$stmt->execute();

继续阅读:parameterbindingpdophp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9