I have a function, which is to return an array of rows containg records from a database, selected based on a LIKE query. I want this query to be a prepared statement for security reasons. Apparently I can not use bound parameters and the query function as I am doing. I am unsure then, of how to keep me query as a prepared statement, and return the rows that I m trying to return.
function getRowsByArticleSearch($searchString, $table, $max) {
$con = mysqli_connect("localhost", "x", "x", "x");
//global $con;
$recordsQuery = "SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME, date_format(str_to_date(ACCESSSTARTS, '%d/%m/%Y %k:%i:%s'), '%d %m %Y' ) AS shortDate FROM AUCTIONS WHERE upper(ARTICLE_NAME) LIKE '%?%' ORDER BY str_to_date(ACCESSSTARTS, '%d/%m/%Y %k:%i:%s')" . $max;
if ($getRecords = $con->prepare($recordsQuery)) {
$getRecords->bind_param("s", $searchString);
//$getRecords->execute();
echo "test if";
//$getRecords->bind_result($ARTICLE_NO, $USERNAME, $ACCESSSTARTS, $ARTICLE_NAME, $shortDate);
while ($getRecords->fetch()) {
$result = $con->query($recordsQuery);
$rows = array();
echo "test while";
while($row = $result->fetch_assoc()) {
$rows[] = $row;
}
}
return $rows;
} else {
print_r($con->error);
}
}
The while loop is never entered at all.
From stackoverflow
-
Although tedious if you've got many columns, you could just do:
function getRowsByArticleSearch($searchString, $table, $max) { $con = mysqli_connect("localhost", "x", "x", "x"); $recordsQuery = "SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME, date_format(str_to_date(ACCESSSTARTS, '%d/%m/%Y %k:%i:%s'), '%d %m %Y' ) AS shortDate FROM AUCTIONS WHERE upper(ARTICLE_NAME) LIKE ? ORDER BY str_to_date(ACCESSSTARTS, '%d/%m/%Y %k:%i:%s')" . $max; if ($getRecords = $con->prepare($recordsQuery)) { $getRecords->bind_param("s", $searchString); $getRecords->execute(); $getRecords->bind_result($ARTICLE_NO, $USERNAME, $ACCESSSTARTS, $ARTICLE_NAME, $shortDate); $rows = array(); while ($getRecords->fetch()) { $row = array( 'ARTICLE_NO' => $ARTICLE_NO, 'USERNAME' => $USERNAME, ... ); $rows[] = $row; } return $rows; } else { print_r($con->error); } }Essentially you have to create your required associative array yourself, since you can't use
$result_set->fetch_assoc().Joshxtothe4 : hmmmm, is there any reason not to be able to fetch_assoc with query?Alnitak : No, but you can't use 'query' with bound parameters. If you're _really_ careful you can use 'query' and 'mysql_real_escape_string' to protect yourself from SQL injection, though.Joshxtothe4 : Also, your function gives unexpected T_IF however I I can't see why.Alnitak : there's an extra character appeared somehow at the end of the line that sets $recordQueryJoshxtothe4 : Ahh. I am trying with a slef created array, however the while loop is still not being entered, only the if loop.Joshxtothe4 : What could be wrong with getRecords->fetch()? There are definitely records to fetch..Alnitak : my original cut&paste still had "LIKE '%?%'" from your code, which is incorrect. Fix that and it might work OK.
0 comments:
Post a Comment