1

Current I'm trying to query a COUNT(*) using user input, so I want to prepare it, but when I do it there are no response, also I made using this: Row count with PDO as example, (prepare and query) but they both seems to doesn't work. Why? theres no reason...

$count = $con->query("SELECT COUNT(*) FROM $table WHERE senha='$senha' AND var='{$ar[$i]}'")->fetchColumn();
    if($count!=0){
        $q = $con->prepare("UPDATE $table SET value=':value' WHERE senha=':senha' AND var=':var'");
        $q->execute(array(':senha' => $senha, ':value' => $ar[$i+1], ':var' => $ar[$i]));
    }else{
        $q = $con->prepare("INSERT INTO $table (id,senha,var,value) VALUES (NULL, ':senha', ':var', ':value')");
        $q->execute(array(':senha' => $senha, ':var' => $ar[$i], ':value' => $ar[$i+1]));
    }

When I were using his first example (using prepare not query passing values using array) didn't work at all, the query one return a number but does not work the if (update or insert) part I've tried a bunch of things and outputs, nothing worked...

Community
  • 1
  • 1
Pedro Gabriel
  • 505
  • 2
  • 11
  • 25

1 Answers1

3

You should not include single quote when you use parameters bind with PDO. so correct your UPDATE and INSERT query to followings:

$q = $con->prepare("UPDATE $table SET value=:value WHERE senha=:senha AND var=:var");

and

$q = $con->prepare("INSERT INTO $table (id,senha,var,value) VALUES (NULL, :senha, :var, :value)");
mask8
  • 3,560
  • 25
  • 34
  • Without single quotes they can use # or -- how to prevent this? – Pedro Gabriel Jul 22 '12 at 02:08
  • That will be taking care by PDO. That's the one of purpose of using PDO parameter bind actually :) – mask8 Jul 22 '12 at 02:12
  • Weird, when I tried it seems to be commented hm, I'll try again. Thanks for answer (Accepted cause makes sense...) – Pedro Gabriel Jul 22 '12 at 03:41
  • you're welcome. please update here if you have any issue with it. I will try to answer – mask8 Jul 22 '12 at 04:00
  • Assuming your answer, he is wrong in here? http://stackoverflow.com/questions/11595970/mysql-comments-tag-breaking-my-code-php/11595984#11595984 – Pedro Gabriel Jul 22 '12 at 09:29
  • Tested again, still commenting my whole code... You answered the question, but if you can help me with this I would appreciate – Pedro Gabriel Jul 22 '12 at 10:20
  • Also, it prevent from -- comment, but no from # – Pedro Gabriel Jul 22 '12 at 10:37
  • 1
    What values for the queries do you exactly have? The parameters should filter those any special characters for SQL. I wonder if you are having a problem with the first SELECT query? It isn't using parameters thus you need to sanitize values – mask8 Jul 22 '12 at 13:35