-2

I am fetching results from database using PDO with url query string

url: index.php?bType=doctor&loc=asia|india

CODE:

$bind = array();
$str=explode('|',$_GET[loc]); 
  foreach ($str as $loc) 
{
    $bloc[] = $loc;
}   $loca = implode("','", $bloc); 
 $btype=$_GET['bType'];

$sqlsb = "SELECT * FROM t_business WHERE 1=1";
if(isset($_GET['bType'])){ $sqlsb .=" AND type like :btype"; $bind['btype']='%'. $btype .'%';}

if(isset($_GET['loc'])){ $sqlsb .=" AND location IN (:loca)"; $bind['loca']="'$loca'";}

$qsb = $db->prepare($sqlsb);
$qsb->execute($bind);

above code fetches nothing..

print_r($bind) shows Array ( [btype] => doctor [loca] => asia','india )

If i do it without using prepared it works.

I am writing this code for refine search filters.

Thanks

UPDATE

AS CoursesWeb anwserd i did changes

if(isset($_GET['bType'])){ $sqlsb .=" AND type like :btype"; $bind['btype']='%'. $btype .'%';}
if(isset($_GET['loc'])){ $sqlsb .=" AND location IN (:loca)";  $bind['loca']="'$loca'";}

it works for :btype but not with :loca

print_r($bind) shows array ( [btype] => %doctor% [loca] => 'asia','india' )

Need to do something better with loc than using implode..think so

Gopal
  • 861
  • 12
  • 18
  • 1
    Whether the data comes from an URL, POST, COOKIES, SESSION, files, a database, an email, a variable etc., it doesn't change how PDO works. Enable notices and you'll see that `$_GET[loc]` is just bad. `loc` here refers to a constant named `loc` - when it can't find that, it gives up and converts it to a string. What's wrong with `$_GET['loc']`? – h2ooooooo Dec 21 '13 at 16:02
  • Y all are donwvoting it..i think it will also help people in future – Gopal Dec 21 '13 at 16:40

1 Answers1

0

for prepared values used in LIKE statement, the "?" or "%" characters must be added together with the value, not in sql statement.

$btype = '%'. $btype .'%';
$sqlsb = "SELECT * FROM t_business WHERE type LIKE :btype";
CoursesWeb
  • 4,179
  • 3
  • 21
  • 27
  • Thanks works for `btype` but not with `loc` ..see updated answer – Gopal Dec 21 '13 at 16:26
  • Maybe the unswers on this page can help you: http://stackoverflow.com/questions/1586587/pdo-binding-values-for-mysql-in-statement or, look on the net for: " pdo bind in statement ". – CoursesWeb Dec 21 '13 at 17:22