PHP PDO sql statement

[razorsese]

I'm having a problem whit the pdo - sql statement:

It dosen't return anything

but when i try $sql = " SELECT en FROM word WHERE MATCH (sp) AGAINST (:word IN BOOLEAN MODE ) "; without the pdo it's working perfectly

$sql = " SELECT en FROM word WHERE MATCH (:sp) AGAINST (:word IN BOOLEAN MODE ) ";
	$st = $con->prepare($sql);
	$st->bindValue(":word",$word,PDO::PARAM_STR);

	  $st->bindValue(':sp','sp',PDO::PARAM_STR);


    
	$st->execute();

[Jessica]

what is the value of $word?

[razorsese]

Sorry for my late reply!!

 

The $word value is a value entered by user

I always use "honey" for test

[Jessica]

Are you sure that $word is actually being populated? If you echo it do you see a value?

Does that value actually exist in the DB?

Do you have error reporting turned on?

[razorsese]

Yes because when i remove the pdo from mysql statement it's working perfectly whit that value

And my error report are on

[kicken]

You can't bind a column name, only values.  What your running is a statement more like:

SELECT en FROM word WHERE MATCH ('sp') AGAINST ('honey' IN BOOLEAN MODE ) 

 

Your matching the literal string value 'sp' against the word honey.  Just put your column name in directly rather than bindValue a placeholder.

 

$sql='SELECT en FROM word WHERE MATCH (sp) AGAINST (:word IN BOOLEAN MODE ) ';
$st = $con->prepare($sql);
$st->bindValue(":word",$word,PDO::PARAM_STR);
$st->execute();

 

[razorsese]

First thanks for answer

And second isn't there any work around to put column names from a variable?!

[xyph]

You don't quote it in the query.

 

$col = 'column';
$query = 'SELECT '.$col.' FROM table';
echo $query;

 

If you want to specify a column name from user-data, you need to have very strict sanitization. Generic escape functions won't work.