4

I'm creating a PDO class to use on my projects, but since I'm new to it I'm not being able to bind parameters to a prepared sql statement, with not error whatsoever. Here's the function that is ment to do it :

# ::bindParam
public static function bind()
{
    # get function arguments
    $args = func_get_args();

    # check for any arguments passed
    if (count($args) < 1)
    {
        return false;
    }

    foreach ($args as $params)
    {
        # named variables for convenience
        $parameter = $params[0];
        $variable = $params[1];
        $data_type = isset($params[2]) ? $params[2] : PDO::PARAM_STR;
        $length = isset($params[3]) ? $params[3] : null;

        # bind param to query
        Database::$statement->bindParam($parameter, $variable, $data_type, $length) or die('error');
    }
}

and a prepared sql statement :

SELECT * FROM `users` WHERE `email` = :email AND `password` = :password LIMIT 1

Can someone point me in the right direction? The query produces no errors at this point. Note that I am assuming the problem is here, although it might not, since I'm only using bindParam() and prepare().

edit - trigger code

    $email = $_POST['email'];
    $password = $_POST['password'];

    $password = hash('sha256', $password);

    $this->db->prepare('SELECT * FROM `users` WHERE `email` = :email AND `password` = :password LIMIT 1');
    $this->db->bind(
        array(':email', $email),
        array(':password', $password)
    );
    $status = $this->db->execute();

    if ($status)
    {
        $result = $this->db->fetch('assoc');

        $this->template->user = $result;
    }
    else
    {
        $this->template->user = false;
    }
hakre
  • 193,403
  • 52
  • 435
  • 836
yoda
  • 10,834
  • 19
  • 64
  • 92
  • post the code which calls the function – hek2mgl Apr 25 '13 at 15:28
  • How are you calling the function? – Ja͢ck Apr 25 '13 at 15:29
  • *`public static function`* - why static? You should not need (do that), see here: `$this->db->bind(...)`. Also your password is not salted, do yourself a favor and quickly read through http://php.net/faq.passwords to understand the main problem with it. – hakre Apr 25 '13 at 15:36
  • 1
    Also: You need to provide the error message. Or did I just read over it w/o noticing? – hakre Apr 25 '13 at 15:38
  • @hakre so I could be able to call it from the object instead of instance as well. They both work, in fact, I was able to perform a query before with the class as-is, and strangely it still works fine if I only bind 1 parameter to the query – yoda Apr 25 '13 at 15:38
  • @hakre there is no error message, should I wrap the execute function in a try-catch? – yoda Apr 25 '13 at 15:38
  • "the problem is here" Which problem? How do you mind that the parameter are not bound. Maybe the result is just empty for those parameters. You will not see them in the prepared statement, if that is what you mean. A prepared statement is to be re-used with different parameter sets. – feeela Apr 25 '13 at 15:39
  • Stick to instance, forget static if you ask me. Pass around a variable with that object, you can quickly replace it with a debug object for example to track things down easily and other cool stuff. Static stands often in the way w/o giving much of a benefit esp. if you do it from the beginning. – hakre Apr 25 '13 at 15:40
  • If there is no error message, how can you say there is a problem? – hakre Apr 25 '13 at 15:41

2 Answers2

10

As @YourCommonSense already mentioned, raw PDO interface is a little bit clearer, however the problem is probably due to the use of function PDOStatement::bindParam() instead of PDOStatement::bindValue().

The difference between those two is that, the first one takes a variable reference, which is constantly overwritten in your foreach loop, while the last one takes the actual value of the variable.

If you're looking for some more friendly database connection interface, why won't you try Doctrine DBAL?

Crozin
  • 43,890
  • 13
  • 88
  • 135
  • Thanks, PDO was not giving me any hint on that. I need to build my own mask to use PDO in order to extend for models in a MVC architecture. – yoda Apr 25 '13 at 16:07
  • +1 for recommending a framework rather than the "rub sticks together to make fire" PDO solution. – tadman Apr 25 '13 at 16:07
3

Just get rid of this function, PDO already has it

$email = $_POST['email'];
$password = $_POST['password'];

$password = hash('sha256', $password);

$this->db->prepare('SELECT * FROM `users` WHERE `email` = :email AND `password` = :password LIMIT 1');
$stmt = $this->db->execute(array(':email'=> $email,':password' => $password));
$this->template->user = $this->db->fetch();

That's all code you need (assuming your class' execute is a regular PDO execute)

Or, to make it in raw PDO:

$email = $_POST['email'];
$password = $_POST['password'];
$password = hash('sha256', $password);

$sql  = 'SELECT * FROM users WHERE email = ? AND password = ? LIMIT 1';
$stmt = $this->db->prepare($sql);
$stmt->execute(array($email, $password));
$this->template->user = $stmt->fetch();

So, it seems your class require more code than raw PDO. Are you certainly sure you need this class at all?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345