PHP PDO "select like" query

Question

I'm trying to bind two parameters to a prepared PDO select statement. This is what I have so far:

$query = "select * from books where ? LIKE ?";
$result = $db->prepare($query);
$result->bindValue(1, $searchTerm, PDO::PARAM_STR);
$result->bindValue(2, "%$searchValue%", PDO::PARAM_STR);
$result->execute();
$rows = $result->fetchAll(PDO::FETCH_ASSOC);
print_r($rows);

This executes successfully but I don't get any rows returned.

But when I use only 1 param

$query = "select * from books where title LIKE ?";
$result->bindValue(1, "%$searchValue%", PDO::PARAM_STR);

I get rows returned. I've checked 1000 times for my param values and names and they are fine.

I don't understand why this doesn't work with two params. Please advice.

You can't substitute a SQL identifier, like the name of a column, by a placeholder. — julp, Mar 13 '16 at 12:31
See http://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-or-column-name-as-parameter ... you can't bind table or column names — tschaible, Mar 13 '16 at 12:31

score 5 · Accepted Answer · answered Mar 13 '16 at 12:32

5

You can not bind column names in PDO with the PARAM_STR type. Ideally, you should not be binding the columns in your query, but if you really want to do so, use the PARAM_INT data type:

$query = "select * from books where ? LIKE ?";
$result = $db->prepare($query);
$result->bindValue(1, $searchTerm, PDO::PARAM_INT);
$result->bindValue(2, "%$searchValue%", PDO::PARAM_STR);
$result->execute();

answered Mar 13 '16 at 12:32

hjpotter92

78,589
36
144
183

Thank you very much. I never expected it to be something like that. – Beni Mar 13 '16 at 13:07

PHP PDO "select like" query

1 Answers1