Search Results

Search found 3474 results on 139 pages for 'prepared statements'.

Page 1/139 | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • Prepared statement help, Number of variables doesn't match number of parameters in prepared statement

    - by Sam Gabriel
    I'm getting this error : Number of variables doesn't match number of parameters in prepared statement every time I run this code: $dbh = new mysqli("localhost", "***", "***", "pics"); $stmt = $dbh->prepare("INSERT INTO comments (username, picture, comment) VALUES (?, ?, ?)"); $stmt->bind_Param('s', $username); $stmt->bind_Param('d', $picture); $stmt->bind_Param('s', $comment); $username=$_SESSION['username']; $picture=$_GET['id']; $comment=$_POST['comment']; $stmt->execute(); What's the problem?

    Read the article

  • JDBC Bind table in prepared statement

    - by AEIOU
    Can I bind a table name in a Java Prepared Statement? i.e. PreparedStatement pstmt = aConn.prepareStatement("SELECT column FROM ? "); pstmt.setString(1, "MY_TABLE"); Nope, no I can't. New question, anyone know how to delete a question?

    Read the article

  • When *not* to use prepared statements?

    - by Ben Blank
    I'm re-engineering a PHP-driven web site which uses a minimal database. The original version used "pseudo-prepared-statements" (PHP functions which did quoting and parameter replacement) to prevent injection attacks and to separate database logic from page logic. It seemed natural to replace these ad-hoc functions with an object which uses PDO and real prepared statements, but after doing my reading on them, I'm not so sure. PDO still seems like a great idea, but one of the primary selling points of prepared statements is being able to reuse them… which I never will. Here's my setup: The statements are all trivially simple. Most are in the form SELECT foo,bar FROM baz WHERE quux = ? ORDER BY bar LIMIT 1. The most complex statement in the lot is simply three such selects joined together with UNION ALLs. Each page hit executes at most one statement and executes it only once. I'm in a hosted environment and therefore leery of slamming their servers by doing any "stress tests" personally. Given that using prepared statements will, at minimum, double the number of database round-trips I'm making, am I better off avoiding them? Can I use PDO::MYSQL_ATTR_DIRECT_QUERY to avoid the overhead of multiple database trips while retaining the benefit of parametrization and injection defense? Or do the binary calls used by the prepared statement API perform well enough compared to executing non-prepared queries that I shouldn't worry about it? EDIT: Thanks for all the good advice, folks. This is one where I wish I could mark more than one answer as "accepted" — lots of different perspectives. Ultimately, though, I have to give rick his due… without his answer I would have blissfully gone off and done the completely Wrong Thing even after following everyone's advice. :-) Emulated prepared statements it is!

    Read the article

  • PHP, MySQL prepared statements - can you use results of execute more than once by calling data_seek(

    - by Carvell Fenton
    Hello, I have a case where I want to use the results of a prepared statement more than once in a nested loop. The outer loop processes the results of another query, and the inner loop is the results of the prepared statement query. So the code would be something like this (just "pseudoish" to demonstrate the concept): // not showing the outer query, it is just a basic SELECT, not prepared statement // we'll call it $outer_query $obj_array = array(); // going to save objects in this $ids = array(18,19,20); // just example id numbers $query = "SELECT field1, field2 FROM table1 WHERE id=?"; $stmt = $db->prepare($query); foreach ($ids as $id) { $stmt->bind_param("i", $id); $stmt->execute(); $stmt->bind_result($var1, $var2); $stmt->store_result(); // I think I need this for data_seek while ($q1 = $outer_query->fetch_object()) { while ($stmt->fetch()) { if ($q1->field1 == $var1) { // looking for a match $obj = new stdClass(); $obj->var1 = $var1; $obj->var2 = $var2; $obj_array[] = $obj; $stmt->data_seek(0); // reset for outer loop break; // found match, so leave inner } } } } The problem I seem to be experiencing is that the values are not getting bound in the variables as I would expect after the first time I use fetch in the inner loop. Specifically, in one example I ran with 3 ids for the foreach, the first id was processed correctly, the second was processed incorrectly (matches were not found in the inner loop even though they existed), and then the third was processed correctly. Is there something wrong with the prepared statment function calls in the sequence I am doing above, or is this an invalid way to use the results of the prepared statement? Thanks.

    Read the article

  • Does SELECT COUNT(*) work with MySQLi prepared statements?

    - by wordman
    I'm working on a test page and am using MySQLi prepared statements in my queries after reading they make my code safe from SQL injection. I have been successful with prepared statements so far with retrieving data from my DB, that all works great. What I want to do now is count the number of galleries within a project using SELECT COUNT(*). That's it. Without using a prepared statement, my old query looked like this: // count number of galleries per project $conn = dbConnect('query'); $galNumb = "SELECT COUNT(*) FROM pj_galleries WHERE project = {$pjInfo['pj_id']}"; $gNumb = $conn->query($galNumb); $row = $gNumb->fetch_row(); $galTotal = $row[0]; But for all my reading and searching the internet, I can not find out the proper way to write this as a prepared statement. I'm no PHP whiz here, and not coding daily isn't helping my skills. If I've missed anything please ask. Many thanks!

    Read the article

  • Using prepared statements with JDBCTemplate

    - by Bernhard V
    Hi. I'm using the Jdbc template and want to read from the database using prepared statements. I iterate over many lines in a csv file and on every line I execute some sql select queries with it's values. Now I want to speed up my reading from the database but I just can't get the Jdbc template to work with prepared statements. Actually I even don't know how to do it. There is the PreparedStatementCreator and the PreparedStatementCreator. As in this example both of them are created with anonymous inner classes. But inside the PreparedStatementCreator class I don't have access to the values I want to set in the prepared statement. Since I'm iterating through a csv file I can't hard code them as a String because I don't know them. I also can't pass them to the PreparedStatementCreator because there are no arguments for the constructor. I was used to the creation of prepared statements being fairly simple. Something like PreparedStatement updateSales = con.prepareStatement( "UPDATE COFFEES SET SALES = ? WHERE COF_NAME LIKE ? "); updateSales.setInt(1, 75); updateSales.setString(2, "Colombian"); updateSales.executeUpdate(): as in the Java tutorial. Your help would be very appreciated.

    Read the article

  • Case Statements versus coded if statements

    - by Eric
    What is more efficient - handling with case statements in sql or handling the same data using if statements in code. I'm asking because my colleague has a huge query that has many case statements. I advised her to take stress off of the DB by coding the case statements. I've found that it is more efficient...but why?

    Read the article

  • Prepared Statements in MySql 5.1

    - by Ronen
    This one is really puzzling. I can't seem to be able to run any prepared statement on MySql 5.1. Any simple select I'm writing runs fine but when I'm trying to run it from a prepared statement I'm getting Query returned no result set. What Am I doing wrong? Exmaple: prepare s from 'select * from t'; execute s; Thanks!

    Read the article

  • Recursion in prepared statements

    - by Rob
    I've been using PDO and preparing all my statements primarily for security reasons. However, I have a part of my code that does execute the same statement many times with different parameters, and I thought this would be where the prepared statements really shine. But they actually break the code... The basic logic of the code is this. function someFunction($something) { global $pdo; $array = array(); static $handle = null; if (!$handle) { $handle = $pdo->prepare("A STATEMENT WITH :a_param"); } $handle->bindValue(":a_param", $something); if ($handle->execute()) { while ($row = $handle->fetch()) { $array[] = someFunction($row['blah']); } } return $array; } It looked fine to me, but it was missing out a lot of rows. Eventually I realised that the statement handle was being changed (executed with different param), which means the call to fetch in the while loop will only ever work once, then the function calls itself again, and the result set is changed. So I am wondering what's the best way of using PDO prepared statements in a recursive way. One way could be to use fetchAll(), but it says in the manual that has a substantial overhead. The whole point of this is to make it more efficient. The other thing I could do is not reuse a static handle, and instead make a new one every time. I believe that since the query string is the same, internally the MySQL driver will be using a prepared statement anyway, so there is just the small overhead of creating a new handle on each recursive call. Personally I think that defeats the point. Or is there some way of rewriting this?

    Read the article

  • MySQL Prepared Statements vs Stored Procedures Performance

    - by amardilo
    Hi there, I have an old MySQL 4.1 database with a table that has a few millions rows and an old Java application that connects to this database and returns several thousand rows from this this table on a frequent basis via a simple SQL query (i.e. SELECT * FROM people WHERE first_name = 'Bob'. I think the Java application uses client side prepared statements but was looking at switching this to the server, and in the example mentioned the value for first_name will vary depending on what the user enters). I would like to speed up performance on the select query and was wondering if I should switch to Prepared Statements or Stored Procedures. Is there a general rule of thumb of what is quicker/less resource intensive (or if a combination of both is better)

    Read the article

  • Shouldn't prepared statements be much more fsater?

    - by silversky
    $s = explode (" ", microtime()); $s = $s[0]+$s[1]; $con = mysqli_connect ('localhost', 'test', 'pass', 'db') or die('Err'); for ($i=0; $i<1000; $i++) { $stmt = $con -> prepare( " SELECT MAX(id) AS max_id , MIN(id) AS min_id FROM tb "); $stmt -> execute(); $stmt->bind_result($M,$m); $stmt->free_result(); $rand = mt_rand( $m , $M ).'<br/>'; $res = $con -> prepare( " SELECT * FROM tb WHERE id >= ? LIMIT 0,1 "); $res -> bind_param("s", $rand); $res -> execute(); $res->free_result(); } $e = explode (" ", microtime()); $e = $e[0]+$e[1]; echo number_format($e-$s, 4, '.', ''); // and: $link = mysql_connect ("localhost", "test", "pass") or die (); mysql_select_db ("db") or die ("Unable to select database".mysql_error()); for ($i=0; $i<1000; $i++) { $range_result = mysql_query( " SELECT MAX(`id`) AS max_id , MIN(`id`) AS min_id FROM tb "); $range_row = mysql_fetch_object( $range_result ); $random = mt_rand( $range_row->min_id , $range_row->max_id ); $result = mysql_query( " SELECT * FROM tb WHERE id >= $random LIMIT 0,1 "); } defenitly prepared statements are much more safer but also every where it says that they are much faster BUT in my test on the above code I have: - 2.45 sec for prepared statements - 5.05 sec for the secon example What do you think I'm doing wrong? Should I use the second solution or I should try to optimize the prep stmt?

    Read the article

  • Shouldn't prepared statements be much faster?

    - by silversky
    $s = explode (" ", microtime()); $s = $s[0]+$s[1]; $con = mysqli_connect ('localhost', 'test', 'pass', 'db') or die('Err'); for ($i=0; $i<1000; $i++) { $stmt = $con -> prepare( " SELECT MAX(id) AS max_id , MIN(id) AS min_id FROM tb "); $stmt -> execute(); $stmt->bind_result($M,$m); $stmt->free_result(); $rand = mt_rand( $m , $M ).'<br/>'; $res = $con -> prepare( " SELECT * FROM tb WHERE id >= ? LIMIT 0,1 "); $res -> bind_param("s", $rand); $res -> execute(); $res->free_result(); } $e = explode (" ", microtime()); $e = $e[0]+$e[1]; echo number_format($e-$s, 4, '.', ''); // and: $link = mysql_connect ("localhost", "test", "pass") or die (); mysql_select_db ("db") or die ("Unable to select database".mysql_error()); for ($i=0; $i<1000; $i++) { $range_result = mysql_query( " SELECT MAX(`id`) AS max_id , MIN(`id`) AS min_id FROM tb "); $range_row = mysql_fetch_object( $range_result ); $random = mt_rand( $range_row->min_id , $range_row->max_id ); $result = mysql_query( " SELECT * FROM tb WHERE id >= $random LIMIT 0,1 "); } defenitly prepared statements are much more safer but also every where it says that they are much faster BUT in my test on the above code I have: - 2.45 sec for prepared statements - 5.05 sec for the secon example What do you think I'm doing wrong? Should I use the second solution or I should try to optimize the prep stmt?

    Read the article

  • Are Dynamic Prepared Statements Bad? (with php + mysqli)

    - by John
    I like the flexibility of Dynamic SQL and I like the security + improved performance of Prepared Statements. So what I really want is Dynamic Prepared Statements, which is troublesome to make because bind_param and bind_result accept "fixed" number of arguments. So I made use of an eval() statement to get around this problem. But I get the feeling this is a bad idea. Here's example code of what I mean // array of WHERE conditions $param = array('customer_id'=>1, 'qty'=>'2'); $stmt = $mysqli->stmt_init(); $types = ''; $bindParam = array(); $where = ''; $count = 0; // build the dynamic sql and param bind conditions foreach($param as $key=>$val) { $types .= 'i'; $bindParam[] = '$p'.$count.'=$param["'.$key.'"]'; $where .= "$key = ? AND "; $count++; } // prepare the query -- SELECT * FROM t1 WHERE customer_id = ? AND qty = ? $sql = "SELECT * FROM t1 WHERE ".substr($where, 0, strlen($where)-4); $stmt->prepare($sql); // assemble the bind_param command $command = '$stmt->bind_param($types, '.implode(', ', $bindParam).');'; // evaluate the command -- $stmt->bind_param($types,$p0=$param["customer_id"],$p1=$param["qty"]); eval($command); Is that last eval() statement a bad idea? I tried to avoid code injection by encapsulating values behind the variable name $param. Does anyone have an opinion or other suggestions? Are there issues I need to be aware of?

    Read the article

  • Problems with string parameter insertion into prepared statement

    - by c0d3x
    Hi, I have a database running on an MS SQL Server. My application communicates via JDBC and ODBC with it. Now I try to use prepared statements. When I insert a numeric (Long) parameter everything works fine. When I insert a string parameter it does not work. There is no error message, but an empty result set. WHERE column LIKE ('%' + ? + '%') --inserted "test" -> empty result set WHERE column LIKE ? --inserted "%test%" -> empty result set WHERE column = ? --inserted "test" -> works But I need the LIKE functionality. When I insert the same string directly into the query string (not as a prepared statement parameter) it runs fine. WHERE column LIKE '%test%' It looks a little bit like double quoting for me, but I never used quotes inside a string. I use preparedStatement.setString(int index, String x) for insertion. What is causing this problem? How can I fix it? Thanks in advance.

    Read the article

  • Mysqli prepared insert statements always returning false

    - by user1754679
    I'm writing prepared statements that are supposed to insert data into a table, on a database that's been pre-selected in the variable $GLOBALS['mysqli']. The connection has been tested, and that's not the problem I'm having. I'm only running into trouble whenever my prepared statement involves INSERT INTO. I know the tablename, and field names are correct, but $stmt is ALWAYS false. What gives? $stmt = $GLOBALS['mysqli']->prepare("INSERT INTO audit_RefreshCount (user, count, lastrefresh) values (?,?,?)"); if ($stmt == TRUE) { $stmt->bindParam('ssi', $_SESSION['username'], '0', time()); //$stmt->bind_Param('ssi', $_SESSION['username'], '0', time()); // Also doesn't work. $stmt->execute(); }

    Read the article

  • Unable to compare valuesfrom mysql in a prepared statement

    - by Cortopasta
    I can't seem to get this to connect to the database so that I can run my prepared statement. Does anybody have an idea what I've forgotten? private function check_credentials($plain_username, $password) { global $dbcon; $ac = new ac(); $ac->dbconnect(); $userid = $dbcon->prepare('SELECT id FROM users WHERE username = :username AND password = :password LIMIT 1'); $userid->bindParam(':username', $plain_username); $userid->bindParam(':password', $password); $userid->execute(); $id = $userid->fetch(); Return $id; } EDIT: I changed the SQL query from a SELECT FROM query, to an INSERT INTO query and it worked. WHat the heck is going on?

    Read the article

  • mysqli prepared statements select *

    - by Victor Dallecio
    I've spent this sunday trying to find what is wrong to the following code as it is not counting the rows. Could somebody help me with it? Thanks! /*check if same IP has visited today*/ if ($stmt = $mysqli->query('SELECT * FROM table WHERE colum1 = ? AND colum2 > DATE_SUB(NOW(), INTERVAL 1 DAY)')) { $stmt->bind_param('s', $ip); /* execute query */ $stmt->execute(); /*number of rows */ /*store result when using prepared statements*/ $stmt->store_result(); $row_cnt = $stmt->num_rows; printf("Result set has %d rows.\n", $row_cnt); $stmt->close(); }

    Read the article

  • Variable amount of columns returned in mysqli prepared statement

    - by manyxcxi
    I have a situation where a dynamic query is being generated that could select anywhere from 1 to over 300 different columns across multiple tables. It currently works fine just doing a query, however the issue I'm running into in using a prepared statement is that I do not know how to handle the fact that I don't know how many columns I will be asking for each time and therefor don't know how to process the results. The reason I believe a bind statement will help is because once this query is run once, it will most likely (though not always) be run again with the exact same parameters. Currently I have something like this: $rows = array(); $this->statement = $this->db->prepare($query); $this->statement->bind_param('i',$id); $this->statement->execute(); $this->statement->bind_result($result); while($this->statement->fetch()) { $rows[] = $result; } I know this doesn't work as I want it to, my question is how do I get the data back out of the query. Is it possible to bring the columns back in an associative array by column name, like a standard mysqli query?

    Read the article

  • Batch Inserts And Prepared Query Error

    - by ircmaxell
    Ok, so I need to populate a MS Access database table with results from a MySQL query. That's not hard at all. I've got the program written to where it copies a template .mdb file to a temp name and opens it via odbc. No problem so far. I've noticed that Access does not support batch inserting (VALUES (foo, bar), (second, query), (third query)). So that means I need to execute one query per row (there are potentially hundreds of thousands of rows). Initial performance tests show a rate of around 900 inserts/sec into Access. With our largest data sets, that could mean execution times of minutes (Which isn't the end of the world, but obviously the faster the better). So, I tried testing a prepared statement. But I keep getting an error (Warning: odbc_execute() [function.odbc-execute]: SQL error: [Microsoft][ODBC Microsoft Access Driver]COUNT field incorrect , SQL state 07001 in SQLExecute in D:\....php on line 30). Here's the code I'm using (Line 30 is odbc_execute): $sql = 'INSERT INTO table ([field0], [field1], [field2], [field3], [field4], [field5]) VALUES (?, ?, ?, ?, ?, ?)'; $stmt = odbc_prepare($conn, $sql); for ($i = 200001; $i < 300001; $i++) { $a = array($i, "Field1 $", "Field2 $i", "Field3 $i", "Field4 $i", $i); odbc_execute($stmt, $a); } So my question is two fold. First, is there any idea on why I'm getting that error (I've checked, and the number in the array matches the field list which matches the number of parameter ? markers)? And second, should I even bother with this or just use the straight INSERT statements? Like I said, time isn't critical, but if it's possible, I'd like to get that time as low as possible (Then again, I may be limited by disk throughput, since 900 operations/sec is high already)... Thanks

    Read the article

  • Java Prepared Statement arguments!

    - by Epitaph
    I am planning to replace repeatedly executed Statement objects with PreparedStatement objects to improve performance. I am using arguments like the MySQL function now(), and string variables. Most of the PreparedStatement queries I have seen contained constant values (like 10, and strings like "New York") as arguments used for the "?" in the queries. How would I go about using functions like now(), and variables as arguments? Is it necessary to use the "?"s in the queries instead of actual values? I am quite confounded.

    Read the article

  • Getting the record ID just added with mysql prepared statements

    - by dmontain
    I'm inserting a record using PDO (very similar to mysqli). $addRecord->execute(); To know if the operation worked, I've learned that I can save it to a variable $result that can be used as true false $result = $addRecord->execute(); if ($result){ //add successful } else { //add unsuccessful } What I'd like to do is also get the record id just added. In the table, each record has an auto_incremented field called id. I tried doing this $new_id = $result['id']; but it seems that $result is purely boolean and doesn't actually hold the actual record that was added. Can someone confirm this and how would I then access the record just added? Note that several people may be adding to the same table at the same time, so I think getting just the last one would not be very accurate.

    Read the article

  • Using wildcards in prepared statement - MySQLi

    - by Michael Irwin
    Hi! I'm trying to run the following query, and I'm having trouble with the wildcard. function getStudents() { global $db; $users = array(); $query = $db->prepare("SELECT id, adminRights FROM users WHERE classes LIKE ? && adminRights='student'"); $query->bind_param('s', '%' . $this->className . '%'); $query->execute(); $query->bind_result($uid, $adminRights); while ($query->fetch()) { if (isset($adminRights[$this->className]) && $adminRights[$this->className] == 'student') $users[] = $uid; } $query->close(); return $users; } I'm getting an error that states: Cannot pass parameter 2 by reference. The reason I need to use the wildcard is because the column's data contains serialized arrays. I guess, if there's an easier way to handle this, what could I do? Thanks in advance!

    Read the article

  • PDO prepared statement not working for login system

    - by Cortopasta
    Anybody no what I'm doing wrong here? I have a username and password hashed in my database, but i can't seem to get it to match the one I submit through the script. $res = $dbcon->prepare('SELECT id FROM users WHERE name = :name AND password = MD5(:password)'); $res->bindParam(':name', $user); $res->bindParam(':password', $password); $res->execute(); $row = $res->fetch(); for ($i=0; $i<7; $i++) { $row[$i]; }

    Read the article

1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >