PHP：变量到SQL查询（PDO）

Question

I'm calling a table from mySQL database using PDO as you can see :

$reponse = $bdd->query('SELECT * FROM exercices WHERE chapitre=\'hello\' ORDER BY id DESC');

Now, I want to do the same thing but instead of 'hello' I would like to use a variable set before like that :

$reponse = $bdd->query('SELECT * FROM exercices WHERE chapitre=\'echo $cat\' ORDER BY id DESC');

It doesn't work. I may have a problem with "echo $cat". Somebody knows ? Thanks.

Answer 1

Use binded variables, I don`t know where the variable is coming from but to be safe:

$reponse = $bdd->query('SELECT * FROM exercices WHERE chapitre=:cat ORDER BY id DESC');
$reponse->bindParam(':cat', $cat, PDO::PARAM_STR); //assuming it is a string
$reponse->execute();
$result = $reponse->fetchAll(); //make the select
print_r($result);  //debug

Answer 2

You do not need to echo the variable when passing it as argument. Wrap the whole string in double quotes and place the variable. Double quotes strings are parsed by PHP to place the variable values in string.

Use it in this way

$reponse = $bdd->query("SELECT * FROM exercices WHERE chapitre= '$cat' ORDER BY id DESC");

Answer 3

your query can be:

$reponse = $bdd->query('SELECT * FROM exercices WHERE 
chapitre=\''.$cat.'\' ORDER BY id DESC');

you should understand the difference between "" and '', also you can " in 2 single quota without any problem and vice versa. if you want write " in 2 double quota you should use \\ also the same when you write ' in 2 single quota.

Answer 4

The way I do a query like that is this:

$cat = $_POST['cat'];
$response = $bdd->prepare("SELECT * FROM exercices WHERE chapitre= :cat ORDER BY id DESC");
$response->bindParam(':cat', $cat,PDO::PARAM_STR);
$response->execute();

I like this the best as it's clean and easy to understand.