php pdo execute array quotations

[MDanz]

The below prepared statement doesn't insert into the database.

 

 

  $sid =1;
    $sid2 = $GET['sid2']; //empty
    $position = 0;
    $name = "John";

$new = $connectdb->prepare("INSERT INTO `table1` VALUES ('',:sid,:sid2,:position,:name)");
				$new->execute(array(':sid'=>$sid,':sid2'=>$sid2,':position'=>$position,':name'=>$name));

 

 

When i add quotations to execute array values, then the insert works. 

 

 

 $new->execute(array(':sid'=>"$sid",':sid2'=>"$sid2",':position'=>"$position",':name'=>"$name"));

 

What i want to know is by adding quotations does this affect PDO's sanitization? 

[xyph]

You shouldn't have to add quotes...

 

<?php

try {

$pdo = new PDO('mysql:host=localhost;dbname=db','root','');
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$val1 = 'foo';
$val2 = 'bar';

$q = 'INSERT INTO test (column1, column2)
	VALUES (:param1, :param2)';

$stmt = $pdo->prepare($q);
$stmt->execute( array(':param1'=>$val1,':param2'=>$val2) );

} catch( PDOException $e ) {
echo 'Error: '.$e->getMessage().'<br>'.$pdo->errorInfo();
}
?>

 

Works fine for me.

[requinix]

PDO treats null values in PHP as NULL values in MySQL. Apparently the third column in that table doesn't allow for NULLs. (Or maybe there's a uniqueness constraint.)

 

And yes, null. Because unless you defined a $GET array (coughunderscore) then $sid2 is null.