0

just a quick question about binding in php

I know if you do something like 

$select = update my_table set name ='".$posted_name.'" where id=1;

and that is subjected to sql injection

but how will you bind the query below

$select = update my_table set name ='".$posted_name[$a].'" where id=1;

IN my bind array this is how I am binding anything without [$a]

for any example with the first statement I am doing 

   $select = update my_table set name =:p_update_name where id=1;

   $bind_update = array('p_update_name' => $t_update_name);
Kuzgun
  • 4,649
  • 4
  • 34
  • 48
Henry
  • 35
  • 4

2 Answers2

1

Try like this:

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
Suresh Kamrushi
  • 15,627
  • 13
  • 75
  • 90
0

you don't have to make all the names equal. 

$select = "update my_table set name =:whatever where id=1";
$bind_update = array('whatever' => $random_variable);

will do. so it can be any variable you can think of. As long as it's scalar variable though

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • what about the `[$a]` wouldnt i need to include that in the statement or the binding? – Henry Nov 25 '13 at 13:36
  • ok I see your answer, so basically the way you are binding `$select = update my_table set name ='".$posted_name[$a].'" where id=1;` is the same as `$select = update my_table set name ='".$posted_name.'" where id=1;` – Henry Nov 25 '13 at 13:44
  • There is no binding in your example – Your Common Sense Nov 25 '13 at 13:45
  • sorry for the late reply. I updated my question to show how I am binding, i am using array binding(oracle) but its query is no different and the function that was written is in php. – Henry Nov 26 '13 at 12:40
  • All I can do is only repeat what I said before: there is absolutely no reason for the variables have the same name with placeholders. – Your Common Sense Nov 26 '13 at 12:55