PDO returning false when fetching

Question

I have this method:

protected function _getByColumn($columnName, $value)                                                                                                                                                                                  
{                                                                                                                                                                                                                                     
        $sql = "SELECT * FROM $this->__tableName                                                                                                                                                                                           
                WHERE :column = :value";                                                                                                                                                                                                   
        $stmt = $this->__db->prepare($sql);                                                                                                                                                                                                
        $stmt->execute(array(':value' => $value, ':column' => $columnName));                                                                                                                                                               
        $val=$stmt->fetch(PDO::FETCH_OBJ);                                                                                                                                                                                                 
        var_dump($val);   //getting boolean false


}

am i doing something wrong in the way i do the PDO call? i had output $columnName and $value and also echod $sql, manually replaed :column and :value, and everything worked. suggestions?

edit:

string 'SELECT * FROM myTable
               WHERE :column = ':value'' (length=61)

string 'blog_id' (length=9) 

string 'a3sasidsf' (length=8)

all values are as expected.

Check that `$this->__tableName` actually exists, otherwise you'll be doing `SELECT * FROM WHERE ...`. And check `$this->__db->errorInfo`, which'd contain the server-side error message. — Marc B, Apr 22 '11 at 19:01
[How to squeeze error message out of PDO?](http://stackoverflow.com/questions/3726505/how-to-squeeze-error-message-out-of-pdo) — Pekka, Apr 22 '11 at 19:02
Technically, there is no error message, since there is no error. It's returning false since there is no matching row. But if you did `_getByColumn('foo', 'foo')` it would always return all rows... — ircmaxell, Apr 22 '11 at 19:29

score 2 · Accepted Answer · answered Apr 22 '11 at 19:04

2

You can't use a bound param as an identifier. Right now, your code is saying $columname = $value as opposed to the desired {value of $columname} = $value. You cannot bind identifiers. The best solution if you want to take in a variable column name is to white-list the input against known column names and then quote it. So:

if (in_array($columnName, $columns)) {
    $sql .= '`' . $columnName . '` = :value';
} else {
    die('illegal column');
}

answered Apr 22 '11 at 19:04

ircmaxell

163,128
34
264
314

i changed it so the column identifier is just a string that gets set before the prepare statement, however i'm still getting the same problem. – tipu Apr 22 '11 at 19:15
i lied. column name was the issue. – tipu Apr 22 '11 at 19:17

PDO returning false when fetching

1 Answers1