I am taking my first tentative steps into prepared statements (and falling flat on my face).
Previously, I built the following from $_GET and echoed it back – the code was working fine and it returned what I expected from my simple test database.
SELECT * FROM edit_box WHERE (tag="9") AND (text="mango") ORDER BY time_stamp DESC
and when I try to code it using a prepared statement, even if I don’t use $_GET but just hard-code the values from the previous, my code looks like this
$odbc_query = OdbcPrepare('SELECT * FROM edit_box WHERE (tag="?")' .
' AND (text ? "?") ORDER BY time_stamp DESC');
$odbcResult = odbc_exec($odbc_query, array('9', '=', 'mango'));
var_dump($odbcResult);
I get NULL.
Obviously a beginner mistake, but I stare at it and still don’t say d’oh!
What am I doing wrong?
Advertisement
Answer
You cannot do this —
AND (text ? “?”)
Parameters, like this, can usually only be passed for actual values – and in some cases identifiers…
To do what you want you need to interpolate the ‘=’ inline into the SQL statement…
Kind of, like this —
$logical_operator = '=';
$sql = SELECT * FROM edit_box WHERE (tag="?") AND (text $logical_operator "?") ORDER BY time_stamp DESC');
$odbc_query = OdbcPrepare($sql);
$odbcResult = odbc_exec($odbc_query, array('9', 'mango'));