PDO to prevent sql injections

[MojoCat]

As many PDO discussions / tutorials exist, I have read tons and I am stumped.  I just cannot figure out why mine isn't working.  Any advice is very welcome as I have a very basic understanding of PHP (learning but have to finish this form) and I don't know where else to turn.

Here is the code.  I am just trying to secure 2 variables passed from the page before it - $_GET['CareerID'] and $_GET['Title'].  Someone mentioned that it could be the vars are called out in the sql statement or bind, and someone else said it could be the $resultSet var.  I thank you for taking the time to review.

CODE (X'ing out passwords):

    $conn = new PDO('mysql:host=xxxx;dbname=xxxx', 'xxxx', 'xxxx');
    // set the PDO error mode to exception
   $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    // Leave column names as returned by the database driver
   $conn->setAttribute(PDO::ATTR_CASE, PDO::CASE_NATURAL);
    // Convert Empty string to NULL
   $conn->setAttribute(PDO::ATTR_ORACLE_NULLS, PDO::NULL_EMPTY_STRING);   

$SQL = "SELECT *
          FROM careerapplicationpost,careerapplicationjobdescription 
         WHERE careerapplicationpost.CareerApplicationPostID = '?'
           AND careerapplicationjobdescription.JobDescriptionTitle = '?'";

$sth = $conn->prepare($SQL);
// binding parameters 
$sth->bindParam(':careerId', $_GET['CareerID'], PDO::PARAM_INT, 100);
$sth->bindParam(':title', $_GET['Title'], PDO::PARAM_STR, 100);
  // executing statement
$sth->execute();
$resultSet = $sth->fetchAll();
foreach ( $conn->query($SQL) as $row ) {
        
    
                        
    //setup the postings
    echo "<h2>";
    echo "<a href=\"/careers/view-career.php?CareerID=$row[CareerApplicationPostID]&Title=$row[JobDescription]\">$row[JobDescriptionDisplayTitle]</a><br />"; 
    echo "</h2><hr />";
    echo "<br />";
    echo $row['Location'];
    echo ", &nbsp;&nbsp;";
    echo $row['FullTimePartTime'];
    echo  "<div class=\"postedon\">Posted on ";
    echo $row['PostedDate'];
    echo "</div>";
    echo "<br />";echo "<br />";
    echo "<strong>Summary:</strong>  ";
    echo $row['JobDescriptionSummary'];
    echo "<br />";echo "<br />";
    echo $row['JobDescriptionEdited'];
    echo "<div class=\"linebreak\">&nbsp;</div>";
    echo "<a href=\"/careers/files/DigiEmploymentApp.pdf\">Please fill out an application here.</a><br />";
    echo "<div class=\"clear\"></div>";
    echo "<hr />";    
}

    

if (!$row['CareerApplicationPostID'])
{
    
header("Location:index.php");
    exit;
    }
$conn = null;                      
?>

[requinix]

Do not put the ?s in quotes. The question marks are placeholders for values and using quotes messes that up.

[ginerjm]

In addition to Requinix's response:

You are binding using symbolic parameters (:careered) yet your query statement doesn't reference them.  Swap out the ? values for the symbolic (named) ones you are binding.  PS - I find using the 'execute(array)' format of this to be easier to use than the bind.  Check out the manual.

[mac_gyver]

the OP is also executing the prepared query, fetching all the data from it, but not using that data, then executing the query again as a non-prepared query (in the foreach ... statement). also, there's no JOIN condition in the query, so every row between the two tables (withrunontablenames) are being cross joined together, and there are no integers in php/mysql that are 100 digits in length. you are also apparently (based on the query and the code after the end of the loop) using a loop to fetch what you expect to be a single row of data.

if you came up with this code from a tutorial it wasn't from ONE working tutorial. you need to make use of the php.net documentation when learning the basics.

you should also disable emulated prepared queries, set the character set, and set the default fetch most to assoc when you make the connection.