Home/ Questions/Q 8796733
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T23:41:25+00:00

Possible Duplicate: PDO Database access WHERE title = $title Here is a sample of

  • 0

Possible Duplicate:
PDO Database access WHERE title = $title

Here is a sample of $message’s content :

String(108) “\n cc je t’ai envoy� une invitation A plus :p\n “

Here is the error message :

Fatal error: Call to a member function setFetchMode() on a non-object
in B:\wamp\www\messages.php on line 101

My request that doesn’t work :

    $resultats = $connexion->query("SELECT * FROM messages WHERE message LIKE '%$message%'");
    $resultats->setFetchMode(PDO::FETCH_OBJ);
    $occurences= $resultats->rowCount();

Why does this one work? (I changed $message by a) :

 $resultats = $connexion->query("SELECT * FROM messages WHERE message LIKE '%a%'");
        $resultats->setFetchMode(PDO::FETCH_OBJ);
        $occurences= $resultats->rowCount();
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Simply using PDO with the same techniques that were used for mysql_* doesn’t do you any good, you need to take advantage of its parameterized queries:

    $query = $connexion->prepare("SELECT * FROM messages WHERE message LIKE ?");
$query->setFetchMode(PDO::FETCH_OBJ);
if($query->execute(array('%'.$message.'%'))) {
    // process
}
else {
    // only for debugging purposes, not a live app
    var_dump($connexion->errorInfo());
}

    It performs all necessary escaping automatically and correctly for you on parameters, that you pass via the execute() method.

    As for I used addslashes: That is not safe. Use prepared statements as demonstrated above.

    Unless you are generating SQL – actual SQL logic, not filling in blanks with user generated content – you should never have a need for PHP variables within SQL.

    • 0