3

I'm trying this (and all PoST var are treated before user send it, no SQL Injection worries):

$stmt = $con->prepare($sql);
$stmt->bindParam(":1", $this->getPes_cdpessoa());
$stmt->bindParam(":2", $this->getPdf_nupessoa_def());

When any of those vars are NULL, PDO cries and don't let execute my statement, and on my Table, i DO allow these fields beign nullables.

Is there any way to check if the values are empty, pdo just bind NULL to then (and i mean, a smart way instead if(empty($_POST['blablabla')...) for every single param?

alex
  • 31
  • 1
  • 2

3 Answers3

5

Try:

$stmt = $con->prepare($sql);
$stmt->bindParam(':1', $this->getPes_cdpessoa(), PDO::PARAM_NULL);
$stmt->bindParam(":2", $this->getPdf_nupessoa_def(), PDO::PARAM_NULL);

Also, see:

Community
  • 1
  • 1
karim79
  • 339,989
  • 67
  • 413
  • 406
2

bindParam needs an actual variable to be passed to it, because it creates a reference. So, when your functions return null, bindParam doesn't really have anything valid to do.

You need to use bindValue instead. Note that bindValue will immediately use whatever value you pass to it, where bindParam waits until statement execution to actually retrieve the values to use.

John Flatness
  • 32,469
  • 5
  • 79
  • 81
  • 1
    if I use bindValue, all the security of Params are gone. All I wanted to do is Allow nulls.. – alex Aug 27 '10 at 18:59
  • 4
    `bindValue` still gives you the same prepared-statement-and-placeholder goodness that you get with `bindParam`. The main differences are the time when the value is actually evaluated, and that you can't get DB output like you can with `bindParam`. – John Flatness Aug 27 '10 at 20:19
0

The Alternative syntax works:

$stmt = $con->prepare($sql);
$stmt->execute(array($this->getPes_cdpessoa(), $this->getPdf_nupessoa_def()));
Theodore R. Smith
  • 21,848
  • 12
  • 65
  • 91