Dynamically Building PHP PDO MySQL query

Question

I am converting old-style MySQL/PHP queries on a site. I have a page that has a series of checkboxes. This is submitted, and a query is built based on what checkboxes are checked (there are at least 6 like the following):

if (xxxxx) {
    $furthersort=$furthersort."AND age_birth='yes' ";
    }
if (xxxxx) {
    $furthersort=$furthersort."AND age_three='yes' ";
    }

...

$prequery = "SELECT id from products WHERE product_categories LIKE '%$catid%' ".$furthersort."ORDER BY product_name ASC";

I'm trying to move the second part this over to PHP like this:

$query = $objDb->prepare("SELECT id from products WHERE product_categories LIKE ? ? ORDER BY product_name ASC");
$params3 = array('%$catid%',$furthersort);
$query->execute($params3); 
while ($row = $query->fetch(PDO::FETCH_ASSOC));

But it's not working. The variables created by the if's are correct, so I'm sure it's because I am missing an understanding of how the prepare portion interprets the information, but I need a push in the right direction.

Answer 1

Like Mr. Blanchard pointed out, you seem to have unintentionally added 2 place-holders instead of one in your LIKE clause. It should read:

            <?php
            // RIGHT AFTER THE LIKE YOU HAD 2 PLACE-HOLDERS: ? ? RATHER THAN JUST 1: ?
            if (xxxxx) {
                // YOU ARE CONCATENATING "AND" DIRECTLY TO THE $furthersort VARIABLE WITHOUT A SPACE: WRONG...
                // $furthersort = $furthersort."AND age_birth='yes' ";
                $furthersort    = $furthersort." AND age_birth='yes' ";
            }
        if (xxxxx) {
                // YOU ARE CONCATENATING "AND" DIRECTLY TO THE $furthersort VARIABLE AGAIN WITHOUT A SPACE: WRONG...
                // $furthersort = $furthersort."AND age_three='yes' ";
                $furthersort    = $furthersort." AND age_three='yes' ";
            }

        ...

        $prequery  = "SELECT id from products WHERE product_categories LIKE '%";
        $prequery .= $catid . "%' " . $furthersort. " ORDER BY product_name ASC "; // <== WHITE SPACE IS GRATIS IN MYSQL


        $sql        = "SELECT id from products WHERE product_categories LIKE :CAT_ID ORDER BY product_name ASC";
        $query      = $objDb->prepare($sql);
        // $params3 = array('%$catid%', $furthersort);      <==  VARIABLE INSIDE SINGLE QUOTES!!! YOU MAY USE DOUBLE QUOTES...
        $params3    = array("CAT_ID"=>"%" . $catid . "%" . $furthersort);
        $query->execute($params3); 
        while ($row = $query->fetch(PDO::FETCH_ASSOC));

Answer 2

You have two problems. First you can only have one bound argument for the LIKE condition, so you have to state that and the subsequent conditions:

$query = $objDb->prepare("SELECT id from products WHERE product_categories LIKE ?  AND age_three = ? ORDER BY product_name ASC");

Now you can send two values in the array

$furthersort = 'yes';
$params3 = array("%$catid%", $furthersort);

Now, given that we do not know how you set $furthersort it is hard to come up with something exact for you to use but suffice it to say for each condition you add to the query, you have to add another bound parameter if you plan to continue along the lines of creating dynamic queries. the logic for doing that is much more complex than I have demonstrated here.