Parameter binding fails where concatenation works_问答_开发者

Parameter binding fails where concatenation works

开发者 https://www.devze.com 2022-12-09 05:23 出处：网络

I am trying to execute the following sql from php using pdo: SELECT * FROM my_table WHERE name=?. When I do this:

I am trying to execute the following sql from php using pdo: SELECT * FROM my_table WHERE name=?.

When I do this:

$sql = 'SELECT * FROM my__table WHERE name=?' ;  
$stmt = $dbconn->prepare($sql);  
$stmt->bindValue(1, $_POST['name'], PDO::PARAM_STR);  
$stmt->execute();

I get an empty result set.

When I do this:

$sql = 'SELECT * FROM my__table WHERE name=\''.$_POST['name'].'\'' ;  
$stmt = $dbconn->prepare($sql);  
$stmt->execute();

I get the row that I need.

The column 'name' is a VARCHAR(32). This bug only happens with strings. When th开发者_JAVA百科e bound parameter is an sql INTEGER everything works like it is supposed to.

I am using sqlite3, php 5.2.6 under Apache on Ubuntu.

Both of these should work:

Without using binding

$sql = "SELECT * FROM my__table WHERE name = ? " ;
$stmt = $dbconn->prepare($sql);
$stmt->execute(array($_POST['name']));

Using a named parameter

$sql = "SELECT * FROM my__table WHERE name = :name " ;
$stmt = $dbconn->prepare($sql);
$stmt->bindParam(':name', $_POST['name'], PDO::PARAM_STR);
$stmt->execute(array($_POST['name']));

What about this?

$sql = "SELECT * FROM my__table WHERE name='?'" ;  
$stmt = $dbconn->prepare($sql);  
$stmt->bindValue(1, $_POST['name'], PDO::PARAM_STR);  
$stmt->execute();