Nutz
Reputation: 89
How to return a PDO result with prepared statements and parameterized queries to a webpage?
I used the following answer in order to patch SQLi(How can I prevent SQL injection in PHP?), however, although the connection to the database is made, the pages are left blank, as if the data is not returned. Here's an example:
public function getPlayerInfo($name){
$stmt = $this->db->prepare("SELECT * FROM playerinfo WHERE PlayerName = ':name'");
//$stmt->execute();
return $stmt->execute(array('name' => $name)); } // I tried using this but it didnt work, information page is left blank
return $stmt->fetchAll(PDO::FETCH_ASSOC); } // This one used to work before I applied the patch
I'm using the function in the player information page to display his information. How can I use it in order to return an array that can be read on that page via foreach?
Thanks!
Upvotes: 0
Views: 41
Answers (1)
Rajdeep Paul
Reputation: 16963
Remove single quotes around the placeholder :name, your prepared statement should be like this:
$stmt = $this->db->prepare("SELECT * FROM playerinfo WHERE PlayerName = :name");
Here's the complete getPlayerInfo() method,
public function getPlayerInfo($name){
$stmt = $this->db->prepare("SELECT * FROM playerinfo WHERE PlayerName = :name");
$stmt->execute(array('name' => $name));
return $stmt->fetchAll(PDO::FETCH_ASSOC);
}
This issue has already been documented here, http://php.net/manual/en/pdo.prepare.php#111458
Upvotes: 1
Related Questions
- PHP PDO prepared statements
- How to fetch results from a PDO prepare statement
- Using Prepared PDO statements
- PDO connection and prepared statements
- Need to return/echo PHP PDO results from database
- PDO - Putting all sql data into an html table using prepared statement
- Fetching Database Records With PDO's Prepared Statements
- Php Preparement statements echo result from query
- mysql_query to PDO and prepared statements