Monday, April 25, 2011

fetching data from a prepared statement.

I have a function, which is to return an array of rows containg records from a database, selected based on a LIKE query. I want this query to be a prepared statement for security reasons. Apparently I can not use bound parameters and the query function as I am doing. I am unsure then, of how to keep me query as a prepared statement, and return the rows that I m trying to return.

function getRowsByArticleSearch($searchString, $table, $max) {
    $con = mysqli_connect("localhost", "x", "x", "x");
    //global $con;
    $recordsQuery = "SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME, date_format(str_to_date(ACCESSSTARTS, '%d/%m/%Y %k:%i:%s'), '%d %m %Y' ) AS shortDate FROM AUCTIONS WHERE upper(ARTICLE_NAME) LIKE '%?%' ORDER BY str_to_date(ACCESSSTARTS, '%d/%m/%Y %k:%i:%s')" . $max;
    if ($getRecords = $con->prepare($recordsQuery)) {
     $getRecords->bind_param("s", $searchString);
     //$getRecords->execute();
     echo "test if";
     //$getRecords->bind_result($ARTICLE_NO, $USERNAME, $ACCESSSTARTS, $ARTICLE_NAME, $shortDate);
     while ($getRecords->fetch()) {
      $result = $con->query($recordsQuery);
      $rows = array();
      echo "test while";
      while($row = $result->fetch_assoc()) {
       $rows[] = $row;
      }
     }
     return $rows;
    } else {
     print_r($con->error);
    }
}

The while loop is never entered at all.

From stackoverflow
  • Although tedious if you've got many columns, you could just do:

    function getRowsByArticleSearch($searchString, $table, $max) {
    
      $con = mysqli_connect("localhost", "x", "x", "x");
      $recordsQuery = "SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME, date_format(str_to_date(ACCESSSTARTS, '%d/%m/%Y %k:%i:%s'), '%d %m %Y' ) AS shortDate FROM AUCTIONS WHERE upper(ARTICLE_NAME) LIKE ? ORDER BY str_to_date(ACCESSSTARTS, '%d/%m/%Y %k:%i:%s')" . $max;
      if ($getRecords = $con->prepare($recordsQuery)) {
            $getRecords->bind_param("s", $searchString);
            $getRecords->execute();
            $getRecords->bind_result($ARTICLE_NO, $USERNAME, $ACCESSSTARTS, $ARTICLE_NAME, $shortDate);
            $rows = array();
            while ($getRecords->fetch()) {
                $row = array(
                    'ARTICLE_NO' => $ARTICLE_NO,
                    'USERNAME' => $USERNAME,
                     ...
                );
                 $rows[] = $row;
            }
            return $rows;
        } else {
            print_r($con->error);
        }
    }
    

    Essentially you have to create your required associative array yourself, since you can't use $result_set->fetch_assoc().

    Joshxtothe4 : hmmmm, is there any reason not to be able to fetch_assoc with query?
    Alnitak : No, but you can't use 'query' with bound parameters. If you're _really_ careful you can use 'query' and 'mysql_real_escape_string' to protect yourself from SQL injection, though.
    Joshxtothe4 : Also, your function gives unexpected T_IF however I I can't see why.
    Alnitak : there's an extra character appeared somehow at the end of the line that sets $recordQuery
    Joshxtothe4 : Ahh. I am trying with a slef created array, however the while loop is still not being entered, only the if loop.
    Joshxtothe4 : What could be wrong with getRecords->fetch()? There are definitely records to fetch..
    Alnitak : my original cut&paste still had "LIKE '%?%'" from your code, which is incorrect. Fix that and it might work OK.

0 comments:

Post a Comment