I am really new to PDO, but I need to use it to avoid SQL injections.
Here is my SQL Query with the variables I've got via the POST Request and I want to do a PDO with that SQL Query (this version works):
if($refid == "") $refid="%";
$lastOrders = "SELECT * FROM Orders WHERE REFID LIKE'$refid'
ORDER BY dateAdded DESC LIMIT 0,$limiter";
$ps_orders = $db->query($lastOrders);
$data = $ps_orders->fetchAll();
My problem(s): The given $refid is either a number which I can find in the database, or it isn't specified by the POST Request (so the value is $refid="") and in that case I want to set the WHERE part to this: WHERE REFID LIKE '%', so I can see in that case all results for every "RefID". Is there a way to do it that way, or do I really need to create 2 different SQL Queries for both cases ?
My try:
if($refid == "") $refid="%";
$sql = "SELECT * FROM Orders WHERE REFID LIKE ':refid'
ORDER BY dateAdded DESC LIMIT :min,:max";
$ps_orders = $db->prepare($sql);
$ps_orders->bindParam(':refid', $refid, PDO::PARAM_STR);
$ps_orders->bindParam(':min', 0, PDO::PARAM_INT);
$ps_orders->bindParam(':max', $limiter, PDO::PARAM_INT);
$db->execute();
