0

For some reason my PHP PDO sql search isn't turning up anything. I'm trying to implement some kind of search engine into my site, but I can't seem to get anything. I've been trying a bunch of different solutions up until now but the search keeps turning up empty, even given exactly the right parameters. The $find variable is entered by the user, and the $field variable is a dropdown list from which the user can choose what to search for, which returns values that equal the names of columns in the database.

            $find = strtoupper($_POST['find']);
            $find = "%" . $find . "%";
            $field = $_POST['field'];

            $qry = $conn->prepare("SELECT * FROM \"MovieDB\" WHERE upper(:field) LIKE :find%");
            $qry->bindParam(':find', $find, PDO::PARAM_STR, 16);
            $qry->bindParam(':field',$field, PDO::PARAM_STR,16);
            $qry->execute();
            $results = $qry->fetchAll();
SQB
  • 3,926
  • 2
  • 28
  • 49
Ghijs Kilani
  • 166
  • 1
  • 9

1 Answers1

0

PDO does not allow binding of field or table names.

I suggest injecting the field value directly into your query string.
Be sure to sanitize it to avoid SQL injection!

$qry = $conn->prepare("SELECT * FROM \"MovieDB\"
                       WHERE upper(`".$field_santizied."`) LIKE :find");
$qry->bindParam(':find', $find, PDO::PARAM_STR, 16);

How to dynamically build queries with PDO

php.net references inability to bind table names:
http://us3.php.net/manual/en/book.pdo.php#69304

Community
  • 1
  • 1
showdev
  • 28,454
  • 37
  • 55
  • 73