2

i want to try to showing my data from database using bindParam but i get some error.

Recoverable fatal error: Object of class PDOStatement could not be converted to string in C:\xampp\htdocs\piratefiles\search.php on line 15

here my code

$category = htmlentities($_GET['c']);
$query = htmlentities($_GET['q']);

$page = (isset($_GET['page'])) ? $_GET['page'] : 1;
$limit = 20;
$limit_start = ($page - 1) * $limit;

$query = $db->prepare ("SELECT * FROM `posting` WHERE 'category' = :category AND 'file_name' like :query ORDER BY date DESC LIMIT ".$limit_start.",".$limit);

$query->bindParam(":category", $category);
$query->bindParam(":query", $query);

$query->execute();
M. Eriksson
  • 13,450
  • 4
  • 29
  • 40
jazuly aja
  • 89
  • 10
  • 1
    You're overwriting the `$query`-variable with your prepared statement. First you have `$query = htmlentities($_GET['q']);`, then you have `$query = $db->prepare(...)` and last you have `$query->bindParam(":query", $query);`. Use different variable names for different things. – M. Eriksson Dec 31 '17 at 02:19
  • ah,i forget it. thanks. but im add some code sice im using `LIKE`. edit my question. now working good. – jazuly aja Dec 31 '17 at 02:28

2 Answers2

4

$query was the user input, then you assigned it as the PDOStatement, then your the passing it back to bindParam

Change the var name.

$category = htmlentities($_GET['c']);
$query = htmlentities($_GET['q']);

$page = (isset($_GET['page'])) ? $_GET['page'] : 1;
$limit = 20;
$limit_start = ($page - 1) * $limit;

$stmt = $db->prepare ("SELECT * FROM `posting` WHERE 'category' = :category AND 'file_name' like :query ORDER BY date DESC LIMIT ".$limit_start.",".$limit);

$stmt->bindParam(":category", $category);
$stmt->bindParam(":query", $query);

$stmt->execute();
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
0

Since im using LIKE so, need to make another variable.

$keyword1 = "%".$category."%";
$keyword2 = "%".$query1."%";

Here's Full code.

$category = htmlentities($_GET['c']);
$query1 = htmlentities($_GET['q']);

$page = (isset($_GET['page'])) ? $_GET['page'] : 1;
$limit = 20;
$limit_start = ($page - 1) * $limit;

$query = $db->prepare ("SELECT * FROM `posting` WHERE category LIKE :category AND file_name LIKE :query1 ORDER BY date DESC LIMIT ".$limit_start.",".$limit);

$keyword1 = "%".$category."%";
$keyword2 = "%".$query1."%";

$query->bindParam(":category", $keyword1);
$query->bindParam(":query1", $keyword2);

$query->execute();
jazuly aja
  • 89
  • 10
  • 1
    Yeah that's fine, you could also use bindValue and not need to define other temp variables, or even pass an array with everything in to execute. But that wasn't the original problem. – Lawrence Cherone Dec 31 '17 at 02:41