0

My code is:

<?php
    $pdo = new PDO("mysql:host=example;dbname=test;","test","test");
    $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

    $st = $pdo->prepare("select * from account where username =? limit ?");
    $st->execute(array('buding',2));

    $res = $st->fetchAll();
    var_dump($res);
?>

When I use it on PHP 5.1.6, I see the sql through Wireshark sent to mysql is:

select * from account where username ='23' limit '2'

But on PHP 5.3, the sql is:

select * from account where username =? limit ? (what I want)

How can I use the true PDO prepare? Is it a PHP's bug, or I use it the wrong way?

My MySQL version is 5.0.7.

xdstack
  • 21
  • 4
  • 3
    Dear God man, upgrade your PHP version if you can! :-) – cmbuckley Feb 24 '14 at 14:23
  • 2
    And your MySQL version. – Andrew Feb 24 '14 at 14:27
  • 1
    If you want to use the _"true"_ PDO prepare, don't expect to see the query sent in one go. That's how prepared statements work: MySQL receives a query string to prepare, containing `?` placeholders. Later (when calling `PDOStatement::execute`), over a different protocol, the parameters for that query will be sent. That's why prepared statements are safer than regular queries: the query is processed differently from data that may need escaping... – Elias Van Ootegem Feb 24 '14 at 14:30
  • 1
    PS: Given your dated stack [***don't disable emulated prepared statements***](http://stackoverflow.com/questions/10113562/pdo-mysql-use-pdoattr-emulate-prepares-or-not) – Elias Van Ootegem Feb 24 '14 at 14:34

0 Answers0