we are trying to make our site safer from injection, and have hit a problem and I cant work out the answer.
if (!empty($_GET['regions']) ? $_GET['regions'] : null) {
$regionsArray = array();
foreach($_GET['regions'] as $regions) {
$regionsArray[] = ''.$regions.'';
}
$placeHoldersRegion = implode(',', array_fill(0, count($regionsArray), '?'));
$sqlregion = ' AND IdRsrt_Hot IN ('.$placeHoldersRegion.')';
}
and using the above in the code below I get the error also below
if ($sqlregion!="" && $sqlstar=="" && $sqlcategory==""){
$f = $pdo->prepare("select DISTINCT(tbl_hotels.IdCat_Hot) from tbl_hotels WHERE (Act_Hot='1') AND (IdCat_Hot IN (1,2,3,4,5)) AND (IdCntry_Hot=:selectCountry) AND (IdRsrt_Hot IN (".$placeHoldersRegion.")) order by IdCat_Hot ASC");
$f->bindParam(":selectCountry", $selectCountry);
//$f->bindParam(":regionData", $regionData);
$f->execute($regionsArray);
Fatal error: Uncaught exception ‘PDOException’ with message ‘SQLSTATE[HY093]: Invalid parameter number: mixed named and positional parameters’ in \CSFFILES11\WEBSITES\dlt.php:316 Stack trace: #0 \CSFFILES11\WEBSITES\dult.php(316): PDO->prepare(‘select DISTINCT…’) #1 {main} thrown in
you use ?
and :selectCountry
in the same statement, which is invalid (as the error message tells you).
Hi Dormilich,
I wasn’t sure what was going on in honesty, so didn’t see the error as you see it.
I have a lot of these to sort out, so could you advise the way around it…
$selectCountry=@$_GET[‘Country’];
I’m getting that value from the line above
either use only positional placeholders (?
) or only named placeholders (:name
) but not both.
I understand I needed to do that, so with $selectCountry, do I add the question mark using a similar way to below, just not sure as its not an array
$placeHoldersRegion = implode(‘,’, array_fill(0, count($regionsArray), ‘?’));
but
$countryRegion = implode(‘,’, array_fill(0, count($selectCountry), ‘?’));
If it’s a scalar value then you just use ?
in the sql.
I tried this as it sort of made sense, but it didnt work
$f = $pdo->prepare("select DISTINCT(tbl_hotels.IdCat_Hot) from tbl_hotels WHERE (Act_Hot='1') AND (IdCat_Hot IN (1,2,3,4,5)) AND (IdCntry_Hot=:?) AND (IdRsrt_Hot IN (".$placeHoldersRegion.")) order by IdCat_Hot ASC");
$f->bindParam(":?", $selectCountry);
$f->execute($regionsArray);
and without the :
Is “:?” a valid placeholder name?
mmm
is this it?
$f = $pdo->prepare("select DISTINCT(tbl_hotels.IdCat_Hot) from tbl_hotels WHERE (Act_Hot='1') AND (IdCat_Hot IN (1,2,3,4,5)) AND (IdCntry_Hot=?) AND (IdRsrt_Hot IN (".$placeHoldersRegion.")) order by IdCat_Hot ASC");
$f->execute($selectCountry, $regionsArray);
dont think so though
the sql looks correct so far, but the execute()
must be called with a single array containing all the data.
Ye funny I was just thinking that and tried below
$f = $pdo->prepare("select DISTINCT(tbl_hotels.IdCat_Hot) from tbl_hotels WHERE (Act_Hot='1') AND (IdCat_Hot IN (1,2,3,4,5)) AND (IdCntry_Hot=?) AND (IdRsrt_Hot IN (".$placeHoldersRegion.")) order by IdCat_Hot ASC");
$f->execute(array_merge($selectCountry, $regionsArray));
But the first value isnt an array, just a single string value
lol no, I’m not getting it
$regionsArrayb = $regionsArray;
$regionsArrayb = array_push($selectCountry, $regionsArrayb);
$f->execute($regionsArrayb);
wasn’t the answer, I think I can hear you chuckle from here.
Could you push me a step on Dormilich
Ahh frustrating, I did manage to get around to that (honestly), but I had it as below and again it didnt work so moved on with it.
$f = $pdo->prepare("select DISTINCT(tbl_hotels.IdCat_Hot) from tbl_hotels WHERE (Act_Hot='1') AND (IdCat_Hot IN (1,2,3,4,5)) AND (IdCntry_Hot=?) AND (IdRsrt_Hot IN (".$placeHoldersRegion.")) order by IdCat_Hot ASC");
$selectCountryb = array($selectCountry);
array_unshift($regionsArray, $selectCountryb);
$f->execute($regionsArray);
Error: Array to string conversion in
and then cut it down to this and there no error, but nothing showing.
$f = $pdo->prepare("select DISTINCT(tbl_hotels.IdCat_Hot) from tbl_hotels WHERE (Act_Hot='1') AND (IdCat_Hot IN (1,2,3,4,5)) AND (IdCntry_Hot=?) AND (IdRsrt_Hot IN (".$placeHoldersRegion.")) order by IdCat_Hot ASC");
array_unshift($regionsArray, $selectCountry);
$f->execute($regionsArray);
What is in “idcntryhot” that would make it equal to the regions array and the selected country? Surely you only want to pass in $selectCountry
to the query, as you only have the single parameter?
idcntryhot is a numerical value
Sorry, read earlier posts. Ignore this and my previous question.
No worries droopsnoot, this is now the full chunk of code and the checkboxes arent appearing
I echo’s out the array values and they are working.
$f = $pdo->prepare("select DISTINCT(tbl_hotels.IdCat_Hot) from tbl_hotels WHERE (Act_Hot='1') AND (IdCat_Hot IN (1,2,3,4,5)) AND (IdCntry_Hot=?) AND (IdRsrt_Hot IN (".$placeHoldersRegion.")) order by IdCat_Hot ASC");
array_unshift($regionsArray, $selectCountry);
$f->execute($regionsArray);
while ($t = $f->fetch()) { ?>
<input type="checkbox" name="star[]" value="<?php echo $t['IdCat_Hot']?>" onClick="javascript:checkRefresh()" <?php echo (isset($_REQUEST['star']) && in_array($t['IdCat_Hot'], $_REQUEST['star'])) ? 'checked="checked"' : '' ?> class="inline" />
<?php echo $t['IdCat_Hot']?> Star