0

My sql request doesn't work if I use a function paramater to choice the column. My goal is to have one function for all request. Thanks in advance.

    $dbh = Connection::getPdo();
    try {
                $sth = $dbh->prepare('SELECT users_id, nom, prenom, password, role, email, users_login FROM users where ? = ? ');
                $value="'".$value."'";

                $sth->execute(array($parameter,$value));

                $data = $sth->fetch(PDO::FETCH_ASSOC);

                $user = new Users();
                $user->setUserFromArray($data);

    } catch (PDOException $e) {
        die("ERROR: Could not able to execute query " . $e->getMessage());
    }
    return $user;
}
JBB
  • 71
  • 1
  • 5
  • Why are you putting the value in quotes? It's changing the value that it's looking for. Quotes are unnecessary since parameter binding will securely pass the values. – aynber Jul 28 '22 at 17:36
  • Why do you catch an exception and then `die`? That's a horrible practice that leaks sensitive information to the user. Please do not catch exceptions if you have no intention of recovering from them – Dharman Jul 28 '22 at 17:38
  • 1
    You can't substitute a column name with a placeholder. – Guido Faecke Jul 28 '22 at 17:39
  • Many thanks all for yours helps. – JBB Jul 29 '22 at 10:31

0 Answers0