What's wrong with my PHP code?

[TechBoyJK]

Using the code below, the sql insert is inserting

':firstName', ':lastName', and ':address' when I'm wanting "john", "doe" and "555 test avenue"

Thoughts? I don't see where I'm making a mistake....

<?php



 $firstName = "John";
 $lastName = "Doe";
 $address = "555 test avenue";

try {
    $conn = new PDO("mysql:host=localhost;dbname=myDB", 'myUser', 'pass123!');
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    // prepare sql and bind parameters
    $stmt = $conn->prepare("
          INSERT INTO tbl_jobApplications (firstName, lastName, address)
    
          VALUES (NULLIF(':firstName', ''), NULLIF(':lastName', ''), ':address')
         ");
    

    $stmt->bindParam(':firstName', $firstName);
    $stmt->bindParam(':lastNname', $lastName);
    $stmt->bindParam(':address', $address);


    $stmt->execute();

    echo "New records created successfully";
    }
      catch(PDOException $e)
    {
    echo "Error: " . $e->getMessage();
    }

    $conn = null;


   ?>

 

[KB]

Try using the ? Param instead. I think it's because you have the Params wrapped in single quotes

http://php.net/manual/en/pdostatement.bindparam.php

 

[TechBoyJK]

I'm not sure what you mean by '? param'

 

[RampantAndroid]

I'm not sure what you mean by '? param'

He means this type of code (I didn;t know it worked in PHP, it does in C)

myVar = (myString == null) ? "TrueValue" : "FalseValue";

it's just an inline if statement:

if(myString == null)
{
    myVar = "TrueValue";
}
else
{
    myVar = "FalseValue";
}

 

[Ken g6]

No, he means question mark parameters. See "Example #2 Prepare an SQL statement with question mark parameters".

 

[RampantAndroid]

No, he means question mark parameters. See "Example #2 Prepare an SQL statement with question mark parameters".

Oh, cool - it's just string format with ? instead of {0}, {1} and such (which...seems annoying, actually.)

 

[purbeast0]

TechBoyJK just wondering since you are posting all of these php threads, are you stuck using php as your backend code? or do you have the option to use something else?

 

[TechBoyJK]

stuck, not my choice.

 

[purbeast0]

stuck, not my choice.

as an add on question ... why are you stuck?

the reason i ask is because a major reason i left my initial job was due to them having old tech and staying stuck in the stone age. it's so much more fun now working with a company that is current with tech and always ready to upgrade to the latest stuff. it also makes life a lot easier heh.

and i'm not saying "upgrade just to upgrade", but there is a reason to not re-invent the wheel in the software industry.

 

[Ken g6]

In case you missed it - I did until I looked at the page again - there's a long user post on the page I linked to about why not to use quotes around placeholders:

To those wondering why adding quotes to around a placeholder is wrong, and why you can't use placeholders for table or column names:

There is a common misconception about how the placeholders in prepared statements work: they are not simply substituted in as (escaped) strings, and the resulting SQL executed. Instead, a DBMS asked to "prepare" a statement comes up with a complete query plan for how it would execute that query, including which tables and indexes it would use, which will be the same regardless of how you fill in the placeholders.

The plan for "SELECT name FROM my_table WHERE id = :value" will be the same whatever you substitute for ":value", but the seemingly similar "SELECT name FROM :table WHERE id = :value" cannot be planned, because the DBMS has no idea what table you're actually going to select from.

Even when using "emulated prepares", PDO cannot let you use placeholders anywhere, because it would have to work out what you meant: does "Select :foo From some_table" mean ":foo" is going to be a column reference, or a literal string?

When your query is using a dynamic column reference, you should be explicitly white-listing the columns you know to exist on the table, e.g. using a switch statement with an exception thrown in the default: clause.

the reason i ask is because a major reason i left my initial job was due to them having old tech and staying stuck in the stone age.

I do a lot of work on web sites that have to support corporate visitors. So I'm stuck supporting IE8. D: At least they've finally moved on from IE7. 🙄

 

[purbeast0]

In case you missed it - I did until I looked at the page again - there's a long user post on the page I linked to about why not to use quotes around placeholders:




I do a lot of work on web sites that have to support corporate visitors. So I'm stuck supporting IE8. D: At least they've finally moved on from IE7. 🙄

trust me i've had to support ie7 so i know your pain. having to run a virtual winxp running in ie9 in "ie7 mode", and then it still doesn't work just as if you were on ie7. so terrible.

things like that make me switch jobs. people need to get out of the stoneage.

now having to support IE in general is a waste of time. thankfully i don't have to waste time doing that.

 

[Albatross]

...

 

[TechBoyJK]

as an add on question ... why are you stuck?

the reason i ask is because a major reason i left my initial job was due to them having old tech and staying stuck in the stone age. it's so much more fun now working with a company that is current with tech and always ready to upgrade to the latest stuff. it also makes life a lot easier heh.

and i'm not saying "upgrade just to upgrade", but there is a reason to not re-invent the wheel in the software industry.

It's for a shopping cart app that we use at work. They're not changing it anytime soon.

 

[TechBoyJK]

In case you missed it - I did until I looked at the page again - there's a long user post on the page I linked to about why not to use quotes around placeholders:

I did not see that, but since I've read it, it makes perfect sense.

You simply can't prepare a statement if you haven't declared the sources (table name, column name). And since you need those to prepare a statement, it's not possible to use placeholders. The actual contents of the request can be variable (like what you put in the trunk of your car for a trip), but you can't plan a route unless you know where you are going. You can't prepare a map for a vacation without knowing your destination.