1

[ Status: Learner ]

I am attempting to implement a parameterized query but I am having problems. Jonathan Sampson recently hinted at how this could be done (#2286115), but I'm not following his suggestion correctly. Here is my script

$cGrade = "grade" ;

include_once ( "db_login.php" ) ;

$sql = "SELECT   last_name   AS last_name
               , first_name  AS first_name
               , grade       AS gr
               , ethnic      AS eth
               , sex         AS sex
               , student_id  AS id_num
               , reason      AS reason
               , mon_init    AS since
          FROM t_tims0809
         WHERE tag <> '' AND 
               tag IS NOT NULL AND
               schcode = {$schcode}
         ORDER
            BY ('%s') " ;

$qResult = mysql_query ( sprintf ( $sql, $cGrade ) or ( "Error: " . mysql_error() ) ) ;

The query works fine with grade in the ORDER BY phrase.

Thanks.

Improve this question
1
  • 1
    You want to be careful using this, especially if the order by "parameter" comes from the user. This is subject to a sQL injection because you're doing string replacement not a true parameterized query using safe quoting for the parameter. You'd be much better off using @Xorlev's suggestion and going with prepared statements. Commented Feb 20, 2010 at 5:16

2 Answers 2

Reset to default
7

Check out the MySQLi prepared statements class:

$query = "INSERT INTO myCity (Name, CountryCode, District) VALUES (?,?,?)";
$stmt = $mysqli->prepare($query);

$stmt->bind_param("sss", $val1, $val2, $val3);

$val1 = 'Stuttgart';
$val2 = 'DEU';
$val3 = 'Baden-Wuerttemberg';

/* Execute the statement */
$stmt->execute();

From the PHP manual.

I feel it's a much superior way of doing parameterized queries, I've switched over to prepared statements when possible, especially during bulk inserts/selects.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you, Xorlev. To tell you the truth, I don't know anything about OOP and when I see the "->" symbol, I run the other way. I'm going to give this a try, however.
@Dave Object Oriented Programming is a bit intimidating, but take it little-by-little, and you'll grow to love it :)
0

Xorlev's answer is entirely correct. There are other options for syntax too. You can specify the bind variables within the query by name:

$stmt = $mysqli->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();

Or if you want to do things shorthand and skip the call to bindParam():

$stmt = $mysqli->prepare('INSERT INTO tbl VALUES(?)');
$stmt->execute($stmt, array("some input"));
$stmt->execute($stmt, array("some other input"));
$stmt->execute($stmt, array("some more input"));
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.