Stored Procedure to php pdo

claro · October 9, 2013, 6:06am

Greetings!
Here is my stored procedure


IF EXISTS (
			SELECT *
		FROM guidance.dbo.vw_brw_StudentInfo
		WHERE stud_nID = @ID
		AND stud_sLastName = @LastName
        AND stud_sFirstName =@Firstname
        AND datediff(d,stud_dBirthDate,@bday) =0
                )
        INSERT INTO guidance.tbl_regStudent
	    (stud_id,passwords,stud_email,acode)
        VALUES (@ID,@email,@email,@regcode)
      END

And my php is


 $st = $this->db->prepare("USE guidance EXEC guidance.CheckStudentExist {$sql}");
		$attribute_value = array();

                foreach($attributes as $key => &$value) {
		  $k =  ':'.$key;
                  echo $key.' '.$value.'<br/>';
		  $attribute_value[] = $st->bindParam($k, $value, PDO::PARAM_STR);
		}

		$val = join("<br/> ", $attribute_value);
		$st->execute();
                $st->nextRowset();

                $col = $st->fetchColumn();

                if ($col >0)
                {
                  echo 'Existing ';
                }
               else { echo 'not exist';}

   My problem is it always print 'not exist' even if my data is correct and  my insert query is executed.

These are my attempts:

I added $st->nextRowset()
because it fixed the error ‘he active result for the query contains no fields’.
When I test my queries in SQL 2008 R2, there is error that says ‘Invalid object name.’
I am expecting that my fetchcolumn returns an int value. I choose IF EXIST over COUNT.

Any idea? thank you.

SpacePhoenix · October 9, 2013, 7:04pm

I don’t think that the use of @ is valid as a place holder. from the manual:

The SQL statement can contain zero or more named (:name) or question mark (?) parameter markers for which real values will be substituted when the statement is executed. You cannot use both named and question mark parameter markers within the same SQL statement; pick one or the other parameter style. Use these parameters to bind any user-input, do not include the user-input directly in the query.

You’re always going (with your query) to have 4 values that need binding: ID, LastName, FirstName and bday. The rest should have already been sanitized, validated and escaped or bound and prepared in the past when the values were entered into the database. Just use the BindParam function four times instead of looping through. Also your inserting only 4 fields into the guidance.tbl_regStudent table so you should only select just them in the SELECT clause of the SELECT query part.