1

i am getting a Syntax error or access violation, when i use the below format in the query.

$limit = $request->getAttribute('limit');
$sql = "SELECT * FROM users WHERE status = 1 ORDER BY date DESC LIMIT :limit";

 try{
    $db = new db();
    $db = $db->connect();
    $stmt = $db->query($sql);
    $stmt->bindParam(":limit", $limit);

    $users = $stmt->fetchAll(PDO::FETCH_OBJ);

    $db = null;

    if(empty($users)) {
        $response->getBody()->write
        ('
        {
            "error":
            {
                "message":"Invalid Request"
            }
        }');
    } else {
        $response->getBody()->write(json_encode($users));
    }
} catch(PDOException $e) {}

how can i call the attribute for the limit within the query ?

mirvatJ
  • 366
  • 1
  • 3
  • 15

5 Answers5

3

You need do it like below (changes are commented):-

$limit = $request->getAttribute('limit');
$sql = "SELECT * FROM users WHERE status = 1 ORDER BY date DESC LIMIT :limit";

try{
    $db = new db();
    $db = $db->connect();
    $stmt = $db->prepare($sql); //prepare sql first
    $stmt->bindValue(':limit',(int)$limit,PDO::PARAM_INT);//tell value is integer
    $users = $stmt->fetchAll(PDO::FETCH_OBJ);

    if(count($users) ==0) {
        $response->getBody()->write('{"error":{"message":"No More Users Exist"}}');
    } else {
        $response->getBody()->write(json_encode($users));
    }
    $db = null;
} catch (PDOException $e) {
   print "Error!: " . $e->getMessage() . "<br/>";
   die();
}
Alive to die - Anant
  • 70,531
  • 10
  • 51
  • 98
  • still no result i get No More Users Exist – mirvatJ Aug 31 '17 at 13:30
  • 1
    no you answered my question, and fixed my syntax error that i was getting, this is something form the query since even if i replace `:limit` with `limit = 2` i still get no data, i'l figure it out, thanks for your help buddy – mirvatJ Aug 31 '17 at 13:38
2

The syntax error you see occurs because when you bindParam(), PDO by default inserts your parameter as a string, so the DB engine sees something like LIMIT "10".

So you have 2 choices: you could tell PDO to insert the value as an integer (see @Alive to Die answer) or, more simply, you can cast it to an integer and put it right in the query. Since you're casting first, there is no risk of SQL injection:

$limit = (int) $request->getAttribute('limit');
$sql = "SELECT * FROM users WHERE status = 1 ORDER BY date DESC LIMIT $limit";
BeetleJuice
  • 39,516
  • 19
  • 105
  • 165
0

It's better to use prepare and execute statement like : 

$limit=10
$req=$db->prepare('SELECT * FROM users WHERE status = ? ORDER BY date DESC LIMIT ?');
$req->execute(array(1, $limit));

I never use bindParam statement.

Azee
  • 71
  • 12
  • 3
    `$db->('SELECT...`? I think you missed the `prepare()`. Also, I don't think `status` is the same as `limit`. The OP have the value of `status` hard coded, so keep it hard coded. – M. Eriksson Aug 31 '17 at 12:34
  • 1
    Yes, corrected . – Azee Aug 31 '17 at 12:36
0

Symply put your $limit variable in query

$limit = $request->getAttribute('limit');
$sql = "SELECT * FROM users WHERE status = 1 ORDER BY date DESC LIMIT $limit";
Sadikhasan
  • 18,365
  • 21
  • 80
  • 122
0

In PDO define it as an INT

$stmt->bindParam(':limit', $limit, PDO::PARAM_INT);
Carlos Alves Jorge
  • 1,919
  • 1
  • 13
  • 29