0

I have a script that manage my tables and contains function to get list or to get certain data by id. Right now one of my functions looks like this

//Returns a Series Object matching the given series id
public static function getById( $WHERE, $id ){
    $conn = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
    $sql = "SELECT * FROM series $WHERE $id";
    $st = $conn->prepare( $sql );
    $st->execute();
    $row = $st->fetch();
    $conn = null;
    if( $row ) return new Series( $row );
}

But I want it to be like this

//Returns a Series Object matching the given series id
public static function getById( $statement ){
    $conn = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
    $sql = "SELECT * FROM series $statement";
    $st = $conn->prepare( $sql );
    $st->execute();
    $row = $st->fetch();
    $conn = null;
    if( $row ) return new Series( $row );
}

So instead of having to do this

$series = Series::getById( ( string ) "WHERE id=", (int) $_POST['seriesId'] );

I can do this

$series = Series::getById( ( string ) "WHERE id=$_POST['seriesId']" );
Improve this question
1
  • You should use prepared statements. Commented Oct 19, 2015 at 1:12

1 Answer 1

Reset to default
1

The correct way of passing that value to your function would be like below:

$series = Series::getById("WHERE id=".$_POST['seriesId']);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.