使用新的pdo方法将信息插入数据库会给我一个错误

Question

I am trying to migrate from the old SQL method to the new PDO methods for dealing with database.

Here is what I have so far:

try{
$conn = new PDO(.......)//this code is working fine
$conn->exec("SET CHARACTER SET utf8");

$query = "INSERT INTO TABLE(name,username,password)VALUES(:name,:username,:password)";

$prepare_query = $conn->prepare($query);

$prepare_query->bindValue(':name',$name,PDO::PARAM_STR);
$prepare_query->bindValue(':username',$user,PDO::PARAM_STR);
$prepare_query->bindValue(':password',$pass,PDO::PARAM_STR);

$count = $conn->exec($prepare_query);//error is somewhere here
}catch(PDOException $e){
echo $e->getMessage();
}

if($count > 0) echo "done";

Now the error I am receiving is Warning: PDO::exec() expects parameter 1 to be string, object given in C:\\xampp\\htdocs\\drug_center\\includes\\NewAccount.php on line 42.

I am a NEWBEE when it comes to the PDO methods. I have read this ! but here it is not showing me how to prepare the statement. I want to protect my data base as much as possible. Can someone please explain where I have gone wrong and how to fix this?

Answer 1

The connection object's ->exec() method expects a string as its first argument containing the query to run, but the prepared statement does what you expect with ->execute() :

$success = $prepare_query->execute();
// $success is true if execution was okay
$count = $prepare_query->rowCount();
// $count is the rows affected

Answer 2

Try binding in the exec method.

$sql = "INSERT INTO TABLE(name,username,password)VALUES(:name,:username,:password)";
$q = $conn->prepare($sql);
$q->execute(array(':name'=>$name,
                  ':username'=>$username,
                      ':password'=>$password));