0

I am trying to complete my prepared statement which is using the PDO class. My specific problem is that I am for the sake of god not able to get the :val after the WHERE clause into quotes which are needed to fire the SQL statement. I have tried concating it and also the quote() function but nothing seems to work, I am pretty sure I am missing something little but I cant find it. The statement can't be the mistake because I tested it directly at my DB and it works.
Here is my code:

public function find($column, $value){
    $stmt = $this->connection->prepare("
        SELECT *
         FROM benutzer
         WHERE $column = :val
    ");
    //$stmt->bindParam(":col", $this->connection->quote($column), PDO::PARAM_STR);
    $stmt->bindValue(":val", $this->connection->quote($value), PDO::PARAM_STR);
    $stmt->execute();
    // Set the fetchmode to populate an instance of 'User'
    // This enables us to use the following:
    //     $user = $repository->find(1234);
    //     echo $user->firstname;
    $stmt->setFetchMode(PDO::FETCH_CLASS, 'User');
    return $stmt->fetch();
}

EDIT: As I mentioned I haven't found a answer which FULLY satifies my needs. The problem is that I have tried all the different ways I have found at reliable communities but not a single one has worked for me.

DrStrangeloovee
  • 86
  • 1
  • 5
  • You can't bind tables or columns. You could make an array of column names and if the `$column` matches add it to the query, might want to add backticks too. I also wouldn't use the `quote` with the `bind` I think that would result in double escaping any quotes. – chris85 Mar 13 '16 at 18:02
  • Thank you chris85, it is true that you can't bind cols or tables, but another mistake of mine...I tested wrong the whole time, damn you PHPStorm's integrated SQL statements :D – DrStrangeloovee Mar 13 '16 at 18:13

0 Answers0