1

Possible Duplicate:
MySQL / PDO / Prepared Statements - All a big jump, a bit overwhelming and a little confusing?

I am using this code to insert data into a users table. It works fine unless the users last name contains an apostrophe (ex. O'Toole). It is my understanding that PDO prepared statements should handle the apostrophe with no additional work on my part. Is my assumption incorrect and that is why this code does not work for names with apostrophes?

I am not getting an error message. 

require_once('/database/database.php');
$query = "INSERT INTO users
             (first_name,last_name, email, pass, reg_date)
          VALUES
             ('$fn','$ln','$em', SHA1('$pwd'), NOW())";

try {
    $statement=$db->prepare($query);
    $statement->bindValue(':first_name',$fn);
    $statement->bindValue(':last_name',$ln);
    $statement->bindValue(':email',$em);
    $statement->bindValue(':pass',SHA1('$pwd'));

    $success = $statement->execute();
    $row_count = $statement->rowCount();
    $statement->closeCursor();
Community
  • 1
  • 1
JEHR
  • 31
  • 3
  • 2
    Because you're not using prepared statements. You're concatenating values directly into the SQL command, despite trying to bind values afterwards. See the manual again http://php.net/manual/en/pdo.prepared-statements.php – mario Oct 04 '12 at 00:03
  • A total sidenote; SHA1('$pwd') will produce the SHA1 string of the literal string '$pwd'. Only double-quotes automatically insert variable content for you. Even so, double-quotes are not needed there, it should just be SHA1($pwd) - it has nothing to do with your question, just wanted to let you know because you're not actually storing passwords that way. :) – Teekin Oct 04 '12 at 00:04
  • @mario: That should be an answer. :) – Teekin Oct 04 '12 at 00:05
  • @Helgi Thanks for catching that and for the tip. – JEHR Oct 04 '12 at 00:33

1 Answers1

2

You are not using the bind correctly, try this:

$query = "INSERT INTO users
         (first_name, last_name, email, pass, reg_date)
      VALUES
         (:first_name, :last_name, :email, :pass, NOW())";

You 'bind' your values to the placeholders in the query.

BenOfTheNorth
  • 2,904
  • 1
  • 20
  • 46