I have a similiar class with a lot of methods, but getData() only returns

Question

0

Asked: June 1, 20262026-06-01T10:37:28+00:00 2026-06-01T10:37:28+00:00

I have a similiar class with a lot of methods, but getData() only returns

0

I have a similiar class with a lot of methods, but getData() only returns the value of the $column parameter.

private $db;

function __construct()
{
    $this->db = new PDO('sqlite:\db');
}

public function getData($rowid, $column)
{
    $st = $this->db->prepare('SELECT ? FROM tbl WHERE rowid=?');
    $st->bindParam(1, $column, PDO::PARAM_STR);
    $st->bindParam(2, $rowid, PDO::PARAM_INT);
    if ($st->execute())
        return $st->fetchColumn();
    else
        return false;
}

Every other parts of the class and the left out half of getData() works. What’s the problem here?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-01T10:37:30+00:00

bindParam is used to bind parameters, not identifiers. The value you bind there will be expanded as:

SELECT 'some_value' FROM tbl WHERE rowid='some_other_value';

…therefore equivalent to:

SELECT 'some_value';

You should only use parameters for actual parameters:

$this->db->prepare('SELECT '.$column.' FROM tbl WHERE rowid=?');

If your column is user-supplied and you want to escape it, use the proper escaping function. In this case, it’s SQLite3::escapeString():

$column = SQLite3::escapeString($column);
$this->db->prepare('SELECT '.$column.' FROM tbl WHERE rowid=?');

If the column is not user-supplied, you don’t really have to escape it.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I have a similiar class with a lot of methods, but getData() only returns

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply