phppdoprepared-statementexecuterowcount

PHP PDO execute/prepare doesn't seem to work


<?php    
    $abc = $objpdo->prepare("SELECT * FROM testdb.users WHERE user = ':login' AND user_pass=PASSWORD(':password')");
    $abc->bindParam(':login', $_POST['name']);
    $abc->bindParam(':password', $_POST['pw']);    
    $abc->execute(); 
    echo $abc->rowCount();
    // the example above doesn't work rowCount is always 0
    $abc = $objpdo->prepare("SELECT * FROM testdb.users WHERE user = '?' AND user_pass=PASSWORD('?')");
    $abc->execute([$_POST['name'], $_POST['pw']]);
    echo $abc->rowCount();
    // and again rowCount is always 0
    $abc = $objpdo->query("SELECT * FROM testdb.users WHERE user = '".$_POST['name']."' AND user_pass=PASSWORD('".$_POST['pw']."')");
    echo $abc->rowCount();
    // this thing here is working
?>

The prepared statements i have at my code doesn't seem to work, the strange thing is when i try running query() without preparing it but just directly passing the values to the string its working.

Note that i always try this code with existed users/passwords.


Solution

  • The placeholders don't need quotes around them or else the query will just treat them as strings, not placeholders.

    $abc = $objpdo->prepare("SELECT * FROM testdb.users WHERE user = :login AND user_pass=PASSWORD(:password)");
    

    Same with the ordinal placeholders (question marks):

    $abc = $objpdo->prepare("SELECT * FROM testdb.users WHERE user = ? AND user_pass=PASSWORD(?)");