How to return a PDO result with prepared statements and parameterized queries to a webpage?

Question

I used the following answer in order to patch SQLi(How can I prevent SQL injection in PHP?), however, although the connection to the database is made, the pages are left blank, as if the data is not returned. Here's an example:

        public function getPlayerInfo($name){
        $stmt = $this->db->prepare("SELECT * FROM playerinfo WHERE PlayerName = ':name'"); 
        //$stmt->execute(); 
        return $stmt->execute(array('name' => $name)); } // I tried using this but it didnt work, information page is left blank
        return $stmt->fetchAll(PDO::FETCH_ASSOC); } // This one used to work before I applied the patch

I'm using the function in the player information page to display his information. How can I use it in order to return an array that can be read on that page via foreach?

Thanks!

Answer 1

Remove single quotes around the placeholder :name, your prepared statement should be like this:

$stmt = $this->db->prepare("SELECT * FROM playerinfo WHERE PlayerName = :name"); 

Here's the complete getPlayerInfo() method,

public function getPlayerInfo($name){
    $stmt = $this->db->prepare("SELECT * FROM playerinfo WHERE PlayerName = :name"); 
    $stmt->execute(array('name' => $name));
    return $stmt->fetchAll(PDO::FETCH_ASSOC); 
}

This issue has already been documented here, http://php.net/manual/en/pdo.prepare.php#111458