0

I am querying my database with pdo prepared statements and I can not figure out how to return the actual query after executing the query.
I have tried print_r($statement);, but all that does is give the the pdo prepared query. Any help will be much appreciated!

$sql = ("SELECT * FROM `mySite` WHERE `info` LIKE :checkSite OR `users` LIKE :checkSite");
$stmt = $pdo->prepare($sql);
$stmt->bindParam(":checkSite", "%$checkSite%");

$stmt->execute();
$results = $stmt->fetchAll();
foreach($results as $row){
    echo $row['users'];
}
Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
user2692006
  • 31
  • 7

1 Answers1

0

This is quite complicated task and one of drawbacks of using prepared statements.

Yet API doesn't offer such a useful feature out of the box. So, the only way to get raw SQL is to parse placeholders manually. There are some home-brewed solutions in this answer

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Ok. I am using this to create a search bar on my website...Is there a better method that will still prevent sql injection? – user2692006 Aug 19 '13 at 17:37
  • Err... what do you mean? Prepared statements are **the only** way to deal with SQL queries. And you can use them to create search bars as well. Why do you think you need another solution? – Your Common Sense Aug 19 '13 at 17:39
  • It just seems like to get the query information is rather strange where as querying without pdo it is easier to get the information – user2692006 Aug 19 '13 at 17:43
  • I have the search bar set up the issue is that I can not get the result of the query to display the proper material back to the user – user2692006 Aug 19 '13 at 17:45
  • You were talking of the **query**, not the **results**. What certainly cannot you get? May be you add some code to your question to make it more clear? – Your Common Sense Aug 19 '13 at 17:47
  • Sorry I miswrote I mean to get the results of the pdo query $stmt = $pdo->prepare($sql); $stmt->bindParam(":checkSite", $input); $stmt->execute(); I am trying to use the results of this query to display information back to the user – user2692006 Aug 19 '13 at 17:49
  • Well, it makes your question totally different. Please add the code you tried to the question. Did you try `$results = $stmt->fetchAll();` and then `foreach` them? – Your Common Sense Aug 19 '13 at 17:52
  • It displays Array is there something wrong with my query setup? $sql = ("SELECT * FROM `mySite` WHERE `info` LIKE :checkSite OR `users` LIKE :checkSite"); – user2692006 Aug 19 '13 at 17:55
  • Arrays intended to be **iterated**. did you try foreach? It seems your problem is basic PHP syntax, not whatever PDO issue. – Your Common Sense Aug 19 '13 at 18:00
  • $results = $stmt->fetchAll(); foreach($results as $row){ echo $row; } is this not right? – user2692006 Aug 19 '13 at 18:02
  • No. $row is an array too. You need to address it's elements like `$row['users']` like every manual tell you. – Your Common Sense Aug 19 '13 at 18:11
  • nope it still doesn't display anything, wait the query is supposed to have '%stringBeingSearch%' how would I incorporate the % – user2692006 Aug 19 '13 at 18:15
  • add it to the bound variable, like `$stmt->bindParam(":checkSite", "%$checkSite%");` – Your Common Sense Aug 19 '13 at 18:21
  • I did that and I get this error Fatal error: Cannot pass parameter 2 by reference – user2692006 Aug 19 '13 at 18:24
  • 1
    oh, that's right. use bindValue instead. Please, read at least pdo tag wiki here first: http://stackoverflow.com/tags/pdo/info I am not supposed to tell you whole PDO syntax here in the comments. – Your Common Sense Aug 19 '13 at 18:26
  • YAY it works...Is it as secure from sql injection to use bindValue instead of bindParam? – user2692006 Aug 19 '13 at 18:29