0

just a quick question about binding in php

I know if you do something like 

$select = update my_table set name ='".$posted_name.'" where id=1;

and that is subjected to sql injection

but how will you bind the query below

$select = update my_table set name ='".$posted_name[$a].'" where id=1;

IN my bind array this is how I am binding anything without [$a]

for any example with the first statement I am doing 

   $select = update my_table set name =:p_update_name where id=1;

   $bind_update = array('p_update_name' => $t_update_name);
Improve this question
5
  • php.net/manual/en/pdo.prepared-statements.php Commented Nov 25, 2013 at 13:23
  • @SureshKamrushi so in PDO you will do $stmt->bindParam(1, $name[$a]);? Commented Nov 25, 2013 at 13:25
  • stackoverflow.com/questions/60174/… Commented Nov 25, 2013 at 13:29
  • thanks @YourCommonSense but it doesn't show the a method with $posted_name[$a]. it just includes a standard statement. Commented Nov 25, 2013 at 13:31
  • method with $posted_name[$a] has absolutely nothing to do with prepared statements Commented Nov 25, 2013 at 13:32

2 Answers 2

Reset to default
1

Try like this:

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

can you try and cover both pdo and mysqli method in your answer please. thanks
0

you don't have to make all the names equal. 

$select = "update my_table set name =:whatever where id=1";
$bind_update = array('whatever' => $random_variable);

will do. so it can be any variable you can think of. As long as it's scalar variable though

Improve this answer

5 Comments

what about the [$a] wouldnt i need to include that in the statement or the binding?
ok I see your answer, so basically the way you are binding $select = update my_table set name ='".$posted_name[$a].'" where id=1; is the same as $select = update my_table set name ='".$posted_name.'" where id=1;
There is no binding in your example
sorry for the late reply. I updated my question to show how I am binding, i am using array binding(oracle) but its query is no different and the function that was written is in php.
All I can do is only repeat what I said before: there is absolutely no reason for the variables have the same name with placeholders.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.