0

i am trying to write a function in php and mysql to select values from PHP and mysql using PDO

function getRec($id=0)
{
    ($id==0?$addQuery="":$addQuery=" where id =".$id);
    $statement = $dbh->prepare("select * from TCMS :name order by id");
    $statement->execute(array(':name' => $addQuery));
    $row = $statement->fetchAll(); 
    return $row ;
}

i got error

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' where id =2' order by id' at line 1' in /Applications/XAMPP/xamppfiles/htdoc

actually what i am trying

if value (2) of ID is passed then statement will be

select * from TCMS where id=2 order by id

And if ID=0 then select statement will be

select * from TCMS order by id

i am new to PDO and not sure of exact syntax.

how to do this ?

Improve this question
2
  • 3
    You can't do that. Placeholders are not arbitrary strings to insert into the SQL, they only work for parameters like WHERE something = :placeholder Commented Nov 11, 2012 at 13:18
  • Dear @Michael Berkowski thanks for reply, then how to solve this? i need help in this Commented Nov 11, 2012 at 13:24

2 Answers 2

Reset to default
3

Do this instead:

function getRec($id=0)
{
    //($id==0?$addQuery="":$addQuery=" where id =".$id);
    if ($id == 0)
    {
        $statement = $dbh->prepare("select * from TCMS order by id");
        $statement->execute();
    }
    else
    {
        // Notice the SQL string has changed. Placeholder :name now properly takes the place of a SQL value.
        $statement = $dbh->prepare("select * from TCMS where id = :name order by id");
        $statement->execute(array(':name' => $id));
    }

    $row = $statement->fetchAll(); 
    return $row ;
}

What you're doing wrong is you're attempting to bind and execute the SQL with the placeholder as arbitrary string values, which is not what the placeholder is for.

The placeholder is to be set in the place of the value (not table names or anything else) so that the value when passed in during execution will be properly handled by PDO internally for the correct escaping.

The function I wrote should help to create valid SQL.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

If you need to dynamically add a WHERE clause, construct the SQL string first and prepare() it. If the condition was met to add parameters, you must then conditionally add the appropriate placeholder/value pairs to the array passed into execute().

You cannot bind a placeholder as an arbitrary SQL string.

// Array to pass into execute()
$values = array();

// Start your SQL...
$sql = "SELECT * FROM TCMS";
// Add the WHERE clause if $id is not zero
if ($id !== 0) {
   $sql .= " WHERE id=:name ";
   // And add the placeholder into the array
   $values[':name'] = $id);
} 
// add the ORDER BY clause
$sql .= " ORDER BY id";

// Prepare the statement
$statement = $dbh->prepare($sql);

$statement->execute($values);
// fetch, etc...
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.