A prepared statement can only execute one MySQL query. You can prepare as many statements as you want in different variables: $stmtUser = $sql->prepare(“INSERT INTO user (id_user, username, pw, email) VALUES (?,?,?,?)”); $stmtProc = $sql->prepare(“INSERT INTO process (id_user, idp) VALUES (?,?);”); And then execute them later. If you want to ensure that neither one is … Read more
You can’t. You need to contruct the sql with string concatenation/placeholder with String.format. prepared statement is for the column values not for table name.
Here’s the problem: $comments = $db->prepare($query); /* where $db is the PDO object */ $comments->execute(array($post, $min, $max)); The manual page for PDOStatement::execute() says (emphasis mine): Parameters input_parameters An array of values with as many elements as there are bound parameters in the SQL statement being executed. All values are treated as PDO::PARAM_STR. Thus your parameters … Read more
If you use the string literal exactly as you have shown us, the problem is the ; character at the end. You may not include that in the query string in the JDBC calls. As you are inserting only a single row, a regular INSERT should be just fine even when inserting multiple rows. Using … Read more
The second way is a tad more efficient, but a much better way is to execute them in batches: public void executeBatch(List<Entity> entities) throws SQLException { try ( Connection connection = dataSource.getConnection(); PreparedStatement statement = connection.prepareStatement(SQL); ) { for (Entity entity : entities) { statement.setObject(1, entity.getSomeProperty()); // … statement.addBatch(); } statement.executeBatch(); } } You’re however … Read more
A table name can’t be used as a parameter. It must be hard coded. So you can do something like: private String query1 = “SELECT plantID, edrman, plant, vaxnode FROM [” + reportDate + “?]”;
This indicates a bad DB design. The user shouldn’t need to know about the column names. Create a real DB column which holds those “column names” and store the data along it instead. And any way, no, you cannot set column names as PreparedStatement values. You can only set column values as PreparedStatement values If … Read more
Consider two ways of doing the same thing: PreparedStatement stmt = conn.createStatement(“INSERT INTO students VALUES(‘” + user + “‘)”); stmt.execute(); Or PreparedStatement stmt = conn.prepareStatement(“INSERT INTO student VALUES(?)”); stmt.setString(1, user); stmt.execute(); If “user” came from user input and the user input was Robert’); DROP TABLE students; — Then in the first instance, you’d be hosed. … Read more
Multiple Values Insert with PDO Prepared Statements Inserting multiple values in one execute statement. Why because according to this page it is faster than regular inserts. $datafields = array(‘fielda’, ‘fieldb’, … ); $data[] = array(‘fielda’ => ‘value’, ‘fieldb’ => ‘value’ ….); $data[] = array(‘fielda’ => ‘value’, ‘fieldb’ => ‘value’ ….); more data values or you … Read more
I can think of a couple solutions. One solution might be to create a temporary table. Do an insert into the table for each parameter that you would have in the in clause. Then do a simple join against your temporary table. Another method might be to do something like this. $dbh=new PDO($dbConnect, $dbUser, $dbPass); … Read more