0

This is my code to count number of rows in PHP PDO

$sql = "SELECT count(name) FROM `info` WHERE name='$name' "; 
$result = $conn->prepare($sql); 
$result->execute(); 
$totalrows = $result->fetchColumn();

But the problem is, If the $name contain an ', it gives error. Prepared statement is fast, secure and better. How to convert it into prepared statement?

I tried to make it PHP PDO statement, but it is not working

$stmt = $conn->prepare("SELECT count(name) FROM `info` WHERE name='$name' "); 
$stmt->execute(array('name' => $name));
$totalrows = $stmt->fetchColumn();
Ravina Sharma
  • 51
  • 1
  • 8
  • This is not how you use prepared statements. `SELECT count(name) FROM info WHERE name=?` then `$result->execute(array($name));` – chris85 Jun 11 '17 at 14:56
  • You only did 1/4 of what i said. You chose to use a named array, but didnt use a named placeholder, or a placeholder at all. – chris85 Jun 11 '17 at 15:01
  • I really do not understand, what you mean. I am not expert :/. This is what you said, where is the 3/4th part? Sorry – Ravina Sharma Jun 11 '17 at 15:32
  • I changed the query and the `execute`, you ignored the query change and only changed the `execute` (and changed it to named version). – chris85 Jun 11 '17 at 15:40
  • As your previous post, this is not how prepared statements work. Start here: http://php.net/manual/en/pdo.prepare.php – Robert Jun 11 '17 at 16:25

0 Answers0