prepared-statement

I'm having issues binding the LIKE with Wildcard into my prepared statement in MySQLi. I tried both the following methods below as shown & concat.(updated with @fancyPants input) Is there a way so that I can view my own SQL statement after the binding happens? How do I bind it properly to get the result I want ? It works without the LIKE statement. I could only pull out data from using a certain search term. Is there anything wrong with my code? $str = $_POST["searchstr"]; if(isset($_POST['submit'])) { $price=$_POST['price']; if(!empty($_POST['chkbx'])) { foreach($_POST['chkbx'] as $selected)

I made a code a few days ago including get_result() to receave the results from my database. Today I wantet to add to it and fix some errors. So I tried to use num_rows to see if anything were returned. But for this I had to use store_result() . And when I do this get_result() just returns a boolean of false. When I comment out store_result() everything works as it should. I know that the >= will mess it up. But I put the = there for debugging(to comment out the store_result() and see what happend). So that is not the problem $sql = $this->connect(); $a = $sql->prepare("SELECT `name`, `title`,

I'm using PHP 5.5.9 and MySQL 5.5.44 with mysqlnd 5.0.11-dev on Ubuntu 14.04 LTS. The following statement fails to prepare: $db->prepare("SELECT nr.x FROM (SELECT ? AS x) AS nr") This is despite the fact that the following statement prepares successfully: $db->prepare("SELECT nr.x FROM (SELECT '1337' AS x) AS nr") What causes this difference? The manual says "Parameter markers can be used only where data values should appear, not for SQL keywords, identifiers, and so forth." But this is for a data value. Not PDO's fault The same thing happens in the stand-alone client: mysql -uredacted

This is driving me nuts... What am I doing wrong here? ArrayList<String> toAdd = new ArrayList<String>(); toAdd.add("password"); try{ PreparedStatement pStmt = conn.prepareStatement("ALTER TABLE testTable ADD ? varchar(100)"); for (String s : toAdd) { pStmt.setString(1, s); pStmt.execute(); } } catch (SQLException e) { e.printStackTrace(); } Results in... 02:59:12,885 ERROR [STDERR] com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''password' varchar

I am trying to change my code to msqli prepared statements from mysql. I am not sure how to adapt my code that currently works to check if there is an email already in the database. Below is the code I am currently using that works. How do I change this into a prepared statement and get the same result? //if email is equal to an email already in the database, display an error message if(mysql_num_rows(mysql_query("SELECT * FROM users WHERE email = '".mysql_real_escape_string($_POST['email'])."'"))) { echo "<p class='red'>Email is already registered with us</p>"; } else { // missing code? }

sometimes i need to insert into the table some null values, or update them setting the value to NULL. I've read somewhere in the postgresql documentation that this cant be done, but can be tricket with the default value: pg_query("INSERT INTO my_table (col_a, col_b) VALUES ('whatever', default) p.s: i know that in this example i'll have the same result with pg_query("INSERT INTO my_table (col_a) VALUES ('whatever') But the problems comes witht the prepared statements: pg_prepare($pgconn, 'insert_null_val', "INSERT INTO my_table (col_a, col_b) VALUES ($1, default)"); pg_exec($pgconn, 'insert

When should i call mysqli::close? I never used to use if statements to check whether bind_param(), prep() and execute() were successful. Should I call $stmt->close() at the end of the method(below) . Or should I call it after every condition ensuring that I close the database connection even if the process fails at some stage e.g bind param. public function function_name($id,$new_id ){ $query = "UPDATE TABLE SET name = ? WHERE field = ? "; if($stmt=$this->prepare($query)){ if($stmt->bind_param("is", $id, $new_id)){ if($stmt->execute()){ }else{//Could not execute the prepared statement $message

I have come across the following codes i feel it is doing the wrong thing: (Note that this is JDK 1.4.2, therefore the list is not typed) StringBuffer queryBuffer = new StringBuffer(); ArrayList temp = new ArrayList(); ... queryBuffer.append("and sb.POSTCODE = ? "); temp.add(postcode); ... conn = ConnectionManager.getConnection(); pstmt = conn.prepareStatement(queryBuffer.toString()); This is what i am concerned about: for(int i=0; i<temp.size(); i++) { log.debug("setString("+ (i+1) + "," + (String)temp.get(i) + ")"); pstmt.setString(i+1, (String)temp.get(i)); } But i have noted that some of

Given something like DB()->prepare("SELECT * FROM mysql.general_log WHERE user_host LIKE ?"); $statement->execute( array('%console%') ); foreach($statement as $record){ var_dump($record); } Contents of general_log is *************************** 1. row *************************** event_time: 2011-04-20 14:27:59 user_host: REDACTED[REDACTED] @ REDACTED [192.168.56.101] thread_id: 30 server_id: 0 command_type: Connect argument: REDACTED@REDACTED on REDACTED *************************** 2. row *************************** event_time: 2011-04-20 14:27:59 user_host: REDACTED[REDACTED] @ REDACTED [192

I've extended the PDO class to create a simple DB class and currently use prepare + execute for all queries run to the database, even the ones that do not have parameters (e.g. SELECT * FROM table). The question is: is there a performance benefit to actually use PDO::query for simple queries that do not have parameters, instead of prepare/execute? Yes, because when you call PDO::prepare , the server must create a query plan and meta information for that query, then there is additional overhead to bind the specified parameters when you use PDO::execute . So, to save this overhead and improve