php - mysqli bind_param for array of strings
Get the solution ↓↓↓
I can not get this to work. I've spent way to many hours on it now.
This works:
$mysqli = new mysqli("localhost", "root", "root", "db");
if(!$mysqli || $mysqli->connect_errno)
{
return;
}
$query_str= "SELECT name FROM table WHERE city IN ('Nashville','Knoxville')";
$query_prepared = $mysqli->stmt_init();
if($query_prepared && $query_prepared->prepare($query_str))
{
$query_prepared->execute();
But this I can NOT get it to work with a bind_param like this:
$query_str= "SELECT name FROM table WHERE city IN (?)";
$query_prepared = $mysqli->stmt_init();
if($query_prepared && $query_prepared->prepare($query_str))
{
$cities= explode(",", $_GET['cities']);
$str_get_cities= "'".implode("','", $get_cities)."'"; // This equals 'Nashville','Knoxville'
$query_prepared->bind_param("s", $cities);
$query_prepared->execute();
What am I doing wrong?
I've also triedcall_user_func_array, but can't seem to get the syntax correct.
EDIT:
I've rigorously tried moskito-x's suggestions and tons of examples listed here and else where on SO and random websites, and nothing works. I think the issue might be PHP 5.4, which is what my MAMP is set to right now.
Answer
Solution:
The task is a bit elaborate but doable. I'll take the explanation from my article Mysqli prepared statement with multiple values for IN clause:
- First of all we will need to create a string with as many
?marks as many elements are in your array. For this we would usestr_repeat()function which comes very handy for the purpose.- Then this string with comma separated question marks have to be added to the query. Although it's a variable, in this case it is safe as it contains only constant values
- then this query must be prepared just like any other query
- then we will need to create a string with types to be used with bind_param(). Note that there is usually no reason to use different types for the bound variables - mysql will happily accept them all as strings. There are edge cases, but extremely rare. For the everyday use you can always keep it simple and use "s" for the everything.
str_repeat()is again to the rescue.- then we need to bind our array values to the statement. Unfortunately, you cannot just write it as a single variable, like this
$stmt->bind_param("s", $array), only scalar variables are allowed inbind_param(). Luckily, there is an argument unpacking operator that does exactly what we need - sends an array of values into a function as though it's a set of distinct variables!- the rest is as usual - execute the query, get the result and fetch your data!
So the correct example code would be
$array = ['Nashville','Knoxville']; // our array
$in = str_repeat('?,', count($array) - 1) . '?'; // placeholders
$sql = "SELECT name FROM table WHERE city IN ($in)"; // sql
$stmt = $mysqli->prepare($sql); // prepare
$types = str_repeat('s', count($array)); //types
$stmt->bind_param($types, ...$array); // bind array at once
$stmt->execute();
$result = $stmt->get_result(); // get the mysqli result
$data = $result->fetch_all(MYSQLI_ASSOC); // fetch the data
Although this code is rather big, it is incomparably smaller than any other plausible solution offered in this topic so far.
Answer
Solution:
You can not bind two variables with onequestion mark !
For every variable you bind you need onequestion mark
"bind_param" checks each variable whether it matches the requirements. afterwards the string value is placed between quotes.
This will not work.
"SELECT name FROM table WHERE city IN (?)"; ( becomes too )
$q_prepared->bind_param("s", $cities);
"SELECT name FROM table WHERE city IN ('city1,city2,city3,city4')";
must be.
"SELECT name FROM table WHERE city IN (?,?,?,?)"; ( becomes too )
$q_prepared->bind_param("ssss", $city1,$city2,$city3,$city4);
"SELECT name FROM table WHERE city IN ('city1','city2','city3','city4')";
$query_prepared->bind_param quotes string params one by one.
And the number of variables and length of string types must match the parameters in the statement.
$query_str= "SELECT name FROM table WHERE city IN ('Nashville','Knoxville')";
will become
$query_str= "SELECT name FROM table WHERE city IN (?,?)";
nowbind_param must be
bind_param("ss",$arg1,$arg2)
with this
$query_str= "SELECT name FROM table WHERE city IN (?)";
andbind_param with
bind_param("s",$cities)
you get
$query_str= "SELECT name FROM table WHERE city IN ('Nashville,Knoxville')";
That's why an array not works .
The only solution for this fact iscall_user_func_array
if you init a statement, following is unnecessary
$query_prepared = $mysqli->stmt_init();
if($query_prepared && $query_prepared->prepare($query_str)) {
This is correct
$query_prepared = $mysqli->stmt_init();
if($query_prepared->prepare($query_str)) {
if you don't want to usecall_user_func_array
and you have only a small count of arguments
you can do it with the following code.
[...]
$cities= explode(",", $_GET['cities']);
if (count($cities)>3) { echo "too many arguments"; }
else
{
$count = count($cities);
$SetIn = "(";
for($i = 0; $i < $count; ++$i) {
$code.='s';
if ($i>0) {$SetIn.=",?";} else {$SetIn.="?";}
}
$SetIn.=")";
$query_str= "SELECT name FROM table WHERE city IN ".$SetIn;
// with 2 arguments $query_str will look like
// SELECT name FROM table WHERE city IN (?,?)
$query_prepared = $mysqli->stmt_init();
if($query_prepared->prepare($query_str))
{
if ($count==1) { $query_prepared->bind_param($code, $cities[0]);}
if ($count==2) { $query_prepared->bind_param($code, $cities[0],$cities[1]);}
if ($count==3) { $query_prepared->bind_param($code, $cities[0],$cities[1],$cities[2]);
// with 2 arguments $query_prepared->bind_param() will look like
// $query_prepared->bind_param("ss",$cities[0],$cities[1])
}
$query_prepared->execute();
}
[...]
}
I would suggest you try it withcall_user_func_array to reach.
look for the solution ofnick9v
mysqli-stmt.bind-param
Answer
Solution:
use call_user_func_array like this:
$stmt = $mysqli->prepare("INSERT INTO t_file_result VALUES(?,?,?,?)");
$id = '1111';
$type = 2;
$result = 1;
$path = '/root';
$param = array('siis', &$id, &$type, &$result, &$path);
call_user_func_array(array($stmt, 'bind_param'), $param);
$stmt->execute();
printf("%d row inserted. \n", $stmt->effected_rows);
$stmt->close;
Answer
Solution:
As of PHP version 8.1, binding is no longer required. As with PDO since version 5.0, you can now pass parameters as an array directly to the execute method.
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli("localhost", "root", "root", "db");
$params = ['Nashville','Knoxville'];
$placeholders = str_repeat('?,', count($params) - 1) . '?'
$query = "SELECT name FROM table WHERE city IN ($placeholders)";
$stmt->prepare($query);
$stmt->execute($params);
Another example, if you have an associative array with keys matching column names:
$data = ["bar" => 23, "baz" => "some data"];
$columns = implode(",", array_keys($data));
$placeholders = str_repeat('?,', count($data) - 1) . '?'
$params = array_values($data);
$db = new mysqli($host, $user, $pass, $database);
$stmt = $db->prepare("INSERT INTO foo ($columns) VALUES ($placeholders)");
$stmt->execute($params);
Answer
Solution:
I was having trouble with this too, and got it working witheval before finding out that most people are usingcall_user_func_array
$fields = array('model','title','price'); // fields in WHERE clause
$values = array( // type and value for each field
array('s','ABCD-1001'),
array('s','[CD] Test Title'),
array('d','16.00')
);
$sql = "SELECT * FROM products_info WHERE "; // start of query
foreach ($fields as $current){ // build where clause from fields
$sql .= '`' . $current . '` = ? AND ';
}
$sql = rtrim($sql,'AND '); // remove last AND
$stmt = $db->prepare($sql);
$types = ''; $vals = '';
foreach ($values as $index => $current_val){ // build type string and parameters
$types .= $current_val[0];
$vals .= '$values[' . $index . '][1],';
}
$vals = rtrim($vals,','); // remove last comma
$sql_stmt = '$stmt->bind_param("' . $types . '",' . $vals . ');'; // put bind_param line together
eval($sql_stmt); // execute bind_param
$stmt->execute();
$stmt->bind_result($col1,$col2,$col3,$col4,$col5,$col6); // this could probably also be done dynamically in the same way
while ($stmt->fetch()){
printf("%s %s %s %s %s %s\n", $col1,$col2,$col3,$col4,$col5,$col6);
}
Answer
Solution:
The way I did it: prepare the query with all its separate question marks, as well as the type string.
$cities = array('Nashville','Knoxville');
$dibs = '';
$query = "SELECT name FROM table WHERE city IN (";
$marks = array();
foreach ($cities as $k => $city) {
// i,s,b,d type based on the variables to bind.
$dibs .= 's';
array_push($marks, '?');
}
$query .= implode(',', $marks) .')';
Connect.
$mysql = new mysqli($host, $user, $pass, $dbname);
$statement =
$mysql->prepare($query)
OR die(sprintf(
'Query error (%s) %s', $mysql->errno, $mysql->error
))
;
Then you use "..." token / ellipsis (documentation) in order to bind the array.
if ($statement) {
$statement->bind_param($dibs, ...$cities);
$statement->execute();
$statement->close();
}
$mysql->close();
I know it kinda defeats the purpose of binding in order to escape (but at least it works good with a list of integers, i.e. IDs). If you see a way how to improve this approach, feel free to edit/comment.
Answer
Solution:
This is what I did after naming the form inputs the same as the mysql column names.
$post_fields = array_keys($_POST);
$post_values = array_values($_POST);
$fields_type_i = array("age","age_share","gender_share"); // all mysql col names type int
$fields = ""; // user input fields
$values = ""; // user input vals
$placeholders = ""; // ?,?,?
$params_type = ""; // s=string i=integer
foreach ($post_fields as $field) {
$fields .= "`".$field."`,";
}
for ($i=0;$i<count($post_fields);$i++) { // bind i and s param types
$placeholders .= "?,";
if (in_array($post_fields[$i],$fields_type_i)) {
$params_type .= "i";
} else {
$params_type .= "s";
}
$values .= $post_values[$i];
}
OR
for ($i=0;$i<count($post_fields);$i++) { // binding only s param type
if (in_array($post_fields[$i],$fields_type_i)) {
$placeholders .= $post_values[$i].",";
} else {
$placeholders .= "?,";
$params_type .= "s";
$values .= $post_values[$i];
}
}
$fields = rtrim($fields,","); // removing last commas
$values = rtrim($values,",");
$placeholders = rtrim($placeholders,",");
$params_string = $params_type.','.$values;
$params_vals = explode(",",$params_string); // array of vals
$params_refs = array();
foreach($params_vals as $key => $value) $params_refs[$key] = &$params_vals[$key]; // array of refs
$stmt = $mysqli -> prepare('INSERT INTO pets ('.$fields.') VALUES ('.$placeholders.')');
if ($stmt && call_user_func_array(array($stmt, 'bind_param'), $params_refs) && $stmt -> execute()) {
echo 'Success';
} else {
echo $stmt -> error;
}
Share solution ↓
Additional Information:
Link To Answer People are also looking for solutions of the problem: attempt to read property "id" on null
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Similar questions
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.