I am trying to create a site search in prepared statements,
Here is my code : Conditions for search
JavaScript
x
$whereSQL = $orderSQL = ''; if(!empty($_POST['keywords'])){ $whereSQL = "WHERE title LIKE '%".$_POST['keywords']."%'"; } if(!empty($_POST['sortBy'])){ $orderSQL = " ORDER BY title ".$_POST['sortBy']; }else{ $orderSQL = " ORDER BY title DESC "; } This is how I add it to query :
JavaScript
$stmt = $pdo->prepare("SELECT * FROM posts ".$whereSQL.$orderSQL); $stmt->execute(); $rowCount= $stmt->rowCount(); Here is my question. How can I use conditions safe way in prepared statements ?
Advertisement
Answer
You can build up an array of any bind parameters dynamically and then pass this to the execute()
As the only value you can bind is in the WHERE clause, you only need to alter than part…
JavaScript
$whereSQL = $orderSQL = ''; $bindParams = [];if(!empty($_POST['keywords'])){ $whereSQL = "WHERE title LIKE :title"; $bindParams['title'] = '%'.$_POST['keywords'].'%';} $stmt = $pdo->prepare("SELECT * FROM posts ".$whereSQL.$orderSQL); // Pass values to statement$stmt->execute($bindParams);