Menu
In my mind, the following script should work:
$stmt = $db->prepare("UPDATE table SET status = ?, date_modified = ?");
$stmt->execute(array(1, 'NOW()'));
but when passing NOW() into the prepared statement, nothing happens. Replacing NOW() with an actual date (i.e. 2010-11-23) works just fine.
I am unable to find explanation online. Any ideas?
Just to further clarify and rid of any confusion in the question, I want to actually pass a variable into the prepared statement HOWEVER, the variable will be set to one of five possible date/time functions for mysql.
e.g.
$var = 'NOW()';
$var = 'LAST_DAY(DATE_ADD(CURDATE(), INTERVAL 1 MONTH))';
$var = 'LAST_DAY(CURDATE())';
... and so on...
prepared statement turns into:
$stmt->execute(array(1, $var));
I know this will return the same NULL results, but I am worried if I simply change the sql statement to:
UPDATE table SET status = ?, date_modified = $var
I am opening myself to injection?
361
PDO will emulate prepared statements/bound parameters for drivers that do not natively support them, and can also rewrite named or question mark style parameter markers to something more appropriate, if the driver supports one style but not the other.
Prepared Statements in Application Programs You can use server-side prepared statements through client programming interfaces, including the MySQL C API client library for C programs, MySQL Connector/J for Java programs, and MySQL Connector/NET for programs using .
$stmt->bind_param("sss", $firstname, $lastname, $email); This function binds the parameters to the SQL query and tells the database what the parameters are. The "sss" argument lists the types of data that the parameters are.
In layman's terms, PDO prepared statements work like this: Prepare an SQL query with empty values as placeholders with either a question mark or a variable name with a colon preceding it for each value. Bind values or variables to the placeholders. Execute query simultaneously.
You do not need to pass NOW() as a parameter as there is no need to do any processing on it, given it is a built in SQL Function, so just include it in the actual query like below.
$stmt = $db->prepare("UPDATE table SET status = ?, date_modified = NOW()");
Alternatively, you can just set the date_modified to a TIMESTAMP field and it will automatically update the date_modified field on a SQL Update.
109
Prepared statements interpret everything you insert into them as a literal string. This is to prevent any type of unpredictable SQL injection.
What is actually happening is that NOW() is attempting to be inserted into the database just as it reads (literally, NOW()) instead of getting the actual date to insert. It is then probably showing blank in your database because you have a date column, which doesn't interpret NOW() as a date and therefore doesn't accept it.
If possible, you should try to execute the SQL without using any substitution methods as there is nothing dangerous to this approach.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
