85

I've tried following the PHP.net instructions for doing SELECT queries but I am not sure the best way to go about doing this.

I would like to use a parameterized SELECT query, if possible, to return the ID in a table where the name field matches the parameter. This should return one ID because it will be unique.

I would then like to use that ID for an INSERT into another table, so I will need to determine if it was successful or not.

I also read that you can prepare the queries for reuse but I wasn't sure how this helps.

Improve this question

6 Answers 6

Reset to default
159

You select data like this:

$db = new PDO("...");
$statement = $db->prepare("select id from some_table where name = :name");
$statement->execute(array(':name' => "Jimbo"));
$row = $statement->fetch(); // Use fetchAll() if you want all results, or just iterate over the statement, since it implements Iterator

You insert in the same way:

$statement = $db->prepare("insert into some_other_table (some_id) values (:some_id)");
$statement->execute(array(':some_id' => $row['id']));

I recommend that you configure PDO to throw exceptions upon error. You would then get a PDOException if any of the queries fail - No need to check explicitly. To turn on exceptions, call this just after you've created the $db object:

$db = new PDO("...");
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

I assume you mean PDOStatement where you have new PDO(...), right?
no. PDO is the connection-class (Should probably have been named PdoConnection instead). The connection can create PdoStatements. You call setAttribute() on the connection object - not the individual statements. (Alternatively, you can pass it to the constructor)
this might be useful: $db = new PDO('mysql:dbname=your_database;host=localhost', 'junior', '444');
For the line $statement->execute(array(':name' => "Jimbo")); , can you explain the Jimbo part?
@rar On the previous line, the query is initiated with a placeholder :name. Calling execute here is done with an associative array of placeholder -> value pairs. So in this case, the :name placeholder will be replaced with the string Jimbo. Note that it's not simply doing a string-replace, as the value is either escaped or sent over a different channel from the actual query, thus preventing any kind of injection attacks.
|
16

I've been working with PDO lately and the answer above is completely right, but I just wanted to document that the following works as well.

$nametosearch = "Tobias";
$conn = new PDO("server", "username", "password");
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sth = $conn->prepare("SELECT `id` from `tablename` WHERE `name` = :name");
$sth->bindParam(':name', $nametosearch);
// Or sth->bindParam(':name', $_POST['namefromform']); depending on application
$sth->execute();
Improve this answer

2 Comments

No, it doesn't, as you haven't selected which database to use.
That should actually be in the "server" string, which should actually be a DSN in the form of "{driver}:dbname={db_name};host={server}" replacing the curly brace values with whatever your connection needs
12

You can use the bindParam or bindValue methods to help prepare your statement. It makes things more clear on first sight instead of doing $check->execute(array(':name' => $name)); Especially if you are binding multiple values/variables.

Check the clear, easy to read example below:

$q = $db->prepare("SELECT id FROM table WHERE forename = :forename and surname = :surname LIMIT 1");
$q->bindValue(':forename', 'Joe');
$q->bindValue(':surname',  'Bloggs');
$q->execute();

if ($q->rowCount() > 0){
    $check = $q->fetch(PDO::FETCH_ASSOC);
    $row_id = $check['id'];
    // do something
}

If you are expecting multiple rows remove the LIMIT 1 and change the fetch method into fetchAll:

$q = $db->prepare("SELECT id FROM table WHERE forename = :forename and surname = :surname");// removed limit 1
$q->bindValue(':forename', 'Joe');
$q->bindValue(':surname',  'Bloggs');
$q->execute();

if ($q->rowCount() > 0){
    $check = $q->fetchAll(PDO::FETCH_ASSOC);
    //$check will now hold an array of returned rows. 
    //let's say we need the second result, i.e. index of 1
    $row_id = $check[1]['id']; 
    // do something
}
Improve this answer

4 Comments

Not sure. Seems like a valid answer to me. I think it would benefit from using 'myname' instead of 'name' and also using multiple params instead of just one.
@GillianLoWong What does the $check = $q->fetch(PDO::FETCH_ASSOC); if (!empty($check)){ $row_id = $check['id']; // do something } do?
Hi @abdul, I have replaced the count/empty check on the array. It was supposed to see if any results were returned. But pdo also has a function called rowCount() that lets you check if any rows were affected/fetched at all. There is no point in fetching data if you dont even know if any rows were selected, so I moved the fetch statement into the if rowCount() statement. :)
@Gillian La Wong thanks for your clean query of bindValue for multiple where query. that save my project.
6

A litle bit complete answer is here with all ready for use:

    $sql = "SELECT `username` FROM `users` WHERE `id` = :id";
    $q = $dbh->prepare($sql);
    $q->execute(array(':id' => "4"));
    $done= $q->fetch();

 echo $done[0];

Here $dbh is PDO db connecter, and based on id from table users we've get the username using fetch();

I hope this help someone, Enjoy!

Improve this answer

1 Comment

Or use fetchColumn() to avoid the [0] being needed. Also, remember to use LIMIT 1 in the SQL.
4

Method 1:USE PDO query method

$stmt = $db->query('SELECT id FROM Employee where name ="'.$name.'"');
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);

Getting Row Count

$stmt = $db->query('SELECT id FROM Employee where name ="'.$name.'"');
$row_count = $stmt->rowCount();
echo $row_count.' rows selected';

Method 2: Statements With Parameters

$stmt = $db->prepare("SELECT id FROM Employee WHERE name=?");
$stmt->execute(array($name));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

Method 3:Bind parameters 

$stmt = $db->prepare("SELECT id FROM Employee WHERE name=?");
$stmt->bindValue(1, $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

**bind with named parameters**
$stmt = $db->prepare("SELECT id FROM Employee WHERE name=:name");
$stmt->bindValue(':name', $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

or
$stmt = $db->prepare("SELECT id FROM Employee WHERE name=:name");
$stmt->execute(array(':name' => $name));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

Want to know more look at this link

Improve this answer

1 Comment

Please remove Method 1. It allows mysql injection.
-2

if you are using inline coding in single page and not using oops than go with this full example, it will sure help

//connect to the db
$dbh = new PDO('mysql:host=localhost;dbname=mydb', dbuser, dbpw); 

//build the query
$query="SELECT field1, field2
FROM ubertable
WHERE field1 > 6969";

//execute the query
$data = $dbh->query($query);
//convert result resource to array
$result = $data->fetchAll(PDO::FETCH_ASSOC);

//view the entire array (for testing)
print_r($result);

//display array elements
foreach($result as $output) {
echo output[field1] . " " . output[field1] . "<br />";
}
Improve this answer

3 Comments

While this code snippet may solve the problem, it doesn't explain why or how it answers the question. Please include an explanation for your code, as that really helps to improve the quality of your post. Remember that you are answering the question for readers in the future, and those people might not know the reasons for your code suggestion. Flaggers / reviewers: For code-only answers such as this one, downvote, don't delete!
So what should i delete it my self
No, exactly the opposite. I came across this post in the Low Quality Posts Queue, and so the latter part of my comment was to tell people to not vote to delete. (The suggestion to downvote instead was meant to prompt provisional downvotes, which would be removed after your post has been edited.) As mentioned in my previous comment, it would be better if you added an explanation for why you suggested the code that you did. Also, this question asks about parameterized queries, but field > 6969 looks hard-coded rather than parameterized.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.