F.N
Reputation: 401
PDO Mysql WHERE LIKE query implementation
I have this simple function in a class:
public function getSearchResults($selectedMethod, $query)
{
$this->_query = '%'.$query.'%';
$this->_selectedMethod = $selectedMethod;
$db = mysql_init();
$sql = "SELECT * FROM plantsRecords WHERE ? LIKE ?";
$prq = $db->prepare($sql);
$prq->bindValue(1,$this->_selectedMethod,PDO::PARAM_STR);
$prq->bindValue(2,$this->_query,PDO::PARAM_STR);
$prq->execute();
}
The problem is that something is happening with WHERE and LIKE. If i put a standard column_name the query works, but if i assign it with a ? it doesn't. I read all similar questions in this site but everyone has the parameter of WHERE statement standard.
Upvotes: 0
Views: 88
Answers (1)
user399666
Reputation: 19879
You can't bind the column name as a parameter. You'll need to do something like:
$sql = "SELECT * FROM plantsRecords WHERE " . $this->_selectedMethod . " LIKE ?";
$prq = $db->prepare($sql);
$prq->bindValue(1, $this->_query,PDO::PARAM_STR);
$prq->execute();
You'll need to make sure that $this->_selectedMethod is not chosen by the user. If it is chosen by the user, then you will need to whitelist the allowed column names.
Upvotes: 1
Related Questions
- Multiple LIKE in PDO query
- PHP PDO prepared statement -- MySQL LIKE query
- implement LIKE query in PDO
- pdo LIKE clause and IN clause
- PDO MySQL and php like statement
- PDO query with multiple like
- Correct syntax for PDO LIKE statement
- MySQL WHERE LIKE not working with multiple fields using php and pdo bind
- PHP PDO MySQL LIKE and prepared statements
- How to do LIKE search with PDO?