0

Possible Duplicate:
PDO Database access WHERE title = $title

Here is a sample of $message's content :

String(108) "\n cc je t'ai envoy� une invitation A plus :p\n "

Here is the error message :

Fatal error: Call to a member function setFetchMode() on a non-object in B:\wamp\www\messages.php on line 101

My request that doesn't work :

    $resultats = $connexion->query("SELECT * FROM messages WHERE message LIKE '%$message%'");
    $resultats->setFetchMode(PDO::FETCH_OBJ);
    $occurences= $resultats->rowCount();

Why does this one work? (I changed $message by a) :

 $resultats = $connexion->query("SELECT * FROM messages WHERE message LIKE '%a%'");
        $resultats->setFetchMode(PDO::FETCH_OBJ);
        $occurences= $resultats->rowCount();
Community
  • 1
  • 1
Ydhem
  • 928
  • 2
  • 14
  • 36
  • 1
    You didn't escape it properly. Use parameterized queries, if you're using PDO to begin with. And you didn't check for `$resultats` getting set, nor for any error messages. – mario Nov 08 '12 at 14:43
  • 1
    Shouldn't you be parametrizing your query? I imagine your message has a quotation mark in it somewhere. – Waleed Khan Nov 08 '12 at 14:43
  • @mario & Waleed Khan Yes.. Thank you very much, the problem was from quotation marks.. – Ydhem Nov 08 '12 at 14:49

2 Answers2

1

Try using PDO Prepare. This is the 'almost' equivalent to mysql_real_escape_string(). This will probably eliminate most (if not all) of your errors due to special characters.

Greeso
  • 7,544
  • 9
  • 51
  • 77
1

Simply using PDO with the same techniques that were used for mysql_* doesn't do you any good, you need to take advantage of its parameterized queries:

$query = $connexion->prepare("SELECT * FROM messages WHERE message LIKE ?");
$query->setFetchMode(PDO::FETCH_OBJ);
if($query->execute(array('%'.$message.'%'))) {
    // process
}
else {
    // only for debugging purposes, not a live app
    var_dump($connexion->errorInfo());
}

It performs all necessary escaping automatically and correctly for you on parameters, that you pass via the execute() method.

As for I used addslashes: That is not safe. Use prepared statements as demonstrated above.

Unless you are generating SQL – actual SQL logic, not filling in blanks with user generated content – you should never have a need for PHP variables within SQL.

phant0m
  • 16,595
  • 5
  • 50
  • 82
  • I'm having the same problem with your code :o That's strange. I also tried this => `$query = $connexion->prepare("SELECT * FROM messages WHERE message LIKE :msg"); $resultats = $query->execute(array('msg' => '%'.$message.'%')); $resultats->setFetchMode(PDO::FETCH_OBJ);` But i'm having the same issue... However it's working with addslashes and a simple "execute". – Ydhem Nov 08 '12 at 14:58
  • @Meds See my edit on how to get an error message. – phant0m Nov 08 '12 at 15:03
  • @phanto0m A var_dump of $message = string(21) "\n salluuuut\n " And I'm getting a Fatal error: Call to a member function setFetchMode() on a non-object in messages.php on line 103. So it's the same error, line 103 => $resultats->setFetchMode(PDO::FETCH_OBJ);. I'm pretty sure that my request is correct. – Ydhem Nov 08 '12 at 15:07
  • @Meds refresh the page to ensure you are seeing the most recent version of my post. – phant0m Nov 08 '12 at 15:08
  • Ok, I'll edit my question once I've finished. – Ydhem Nov 08 '12 at 15:16
  • That was a small mistake from you, and a big one from me, because I didn't notice that you had set the FetchMode on the result instead of the query. So, $resultats->setFetchMode(PDO::FETCH_OBJ) = $query->setFetchMode(PDO::FETCH_OBJ); – Ydhem Nov 08 '12 at 15:30
  • 1
    @Meds Oh, right, sorry, I got confused there. – phant0m Nov 08 '12 at 15:32