Home/ Questions/Q 7648091
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T10:37:34+00:00

I have this code (which worked): if (isset($_POST[‘plant_name’]) && $_POST[‘plant_name’]) { $where .= AND

  • 0

I have this code (which worked):

if (isset($_POST['plant_name']) && $_POST['plant_name']) {
$where .= "AND (common_name) LIKE '".strtolower($_POST['plant_name']) . "' OR (latin_name) LIKE '".strtolower($_POST['plant_name'])."%' ";
}

But I wanted to change it to prepared statements and my attempt is below but I am getting errors:

$plant_name = $_POST['plant_name'];

if (isset($_POST['plant_name']) && $_POST['plant_name']) { 
$stmt = $conn2->prepare . $where .= "AND (common_name) LIKE '".'?'. "' OR (latin_name) LIKE '".'?'."%' ";
}

$stmt->bind_param('s', $plant_name);

$stmt->execute();

Could somebody please help me out please

My errors are:

Notice: Undefined property: mysqli::$prepare

Fatal error: Call to a member function bind_param() on a non-object
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    EDIT: You’re using mysqli not PDO my fault. Unfortunately mysqli doesn’t support named parameters.

    In your original example, you’re treating $conn2->prepare like it’s a property, but it’s a function.

    Try this:

    // Presumably by this point you have a $sql and a $where that you're appending to.
if (isset($_POST['plant_name']) && $_POST['plant_name']) { 
    $where .= "AND (common_name) LIKE ? OR (latin_name) LIKE ?";
}
$stmt = $conn2->prepare($sql . $where);
if (isset($_POST['plant_name']) && $_POST['plant_name']) { 
    $stmt->bind_param('s', strtolower($_POST['plant_name']));
    $stmt->bind_param('s', strtolower($_POST['plant_name'])."%");
}

    Here’s the PDO way (I think it’s a lot cleaner, but it’s probably not worth changing from mysqli to PDO at this point for you):

    $statement = $conn2->prepare(
"UPDATE tablename SET 
    field1 = :value1,
    field2 = :value2
WHERE common_name LIKE :plant_name
OR    latin_name LIKE :plant_name
");
$statement->bindValue('value1', $_POST['field1']);
$statement->bindValue('value2', $_POST['field2']);
$statement->bindValue('plant_name', strtolower($_POST['plant_name']));

    Note a few things about this:

    1. I switched you from using ? (numerically indexed placeholders) to :name (name-based placeholders). Since you’re using the same value for searching both fields, this gets you a very small performance gain, and makes the SQL a lot more readable.
    2. You don’t want to put quote marks around the bound parameter. One of the advantages of bound parameters is that they don’t need to be quote-escaped. The SQL is sent on a separate channel from the parameter values. So there’s no chance of SQL injection. The database notices the bound parameter and reads the right value all on its own by looking it up in the bound parameters data.
    • 0