-1

I have tried to execute the code below but when I tryvar_dump $query i have the next: ...{ ["queryString"]=> string(44) "SELECT * FROMpostsWHERE :where LIMIT 15;" }

code:

$query = Main::$data_base->pdo->prepare(

    'SELECT ' . $fields . ' ' .
    'FROM `posts` ' .
    'WHERE :where ' .
    'LIMIT ' . $posts_quantity . ';'
);

$query->bindParam( ':where', $where, PDO::PARAM_STR );

$query->execute();
Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
Solembum
  • 47
  • 7
  • 2
    You cannot bind a table name, column name or a complete where clause. The prepare passes the query code for compilation to the DB. You cannot compile a query when you dont know those basic ingedients of a query – RiggsFolly Jul 02 '17 at 00:06
  • 1
    Possible duplicate of [How do I set ORDER BY params using prepared PDO statement?](https://stackoverflow.com/questions/2542410/how-do-i-set-order-by-params-using-prepared-pdo-statement) The answer to this question is on this page in the explanation of the answers. – mickmackusa Jul 02 '17 at 02:16

1 Answers1

0

Binding has to be done with key value pairs:

Correct:

where a=:value

In which value can of course be any name (do not use reserved keywords out of politeness to future developers).

Replacing complete part of queries with parameter binding is not allowed:

where :my_where_clause

With :my_where_clause is a=b is not allowed. The reason for this is that the parameter binding is for parameters which at that point in time are immediately escaped preventing SQL injection, which would not be possible with the my_where_clause approach.

joanolo
  • 6,028
  • 1
  • 29
  • 37
Norbert
  • 6,026
  • 3
  • 17
  • 40