PDO: “Invalid parameter number” when substituting multiple parameters with same value

Question

How do I bind my parameter if it appears multiple times in the query as follows?

$STH = $DBH->prepare(\"SELECT * FROM $table WHERE firstname LIKE :string          


        

Answer 1

You mentioned two parameters (with the same name) for the prepare statement, yet you supply a value for the first parameter only (that's what the error was about).

Not quite sure how PDO internally solved the same-parameter-name issue, but you can always avoid that.

Two possible solutions:

$sql = "select * from $table ".
       "where "
       "first_name like concat('%', :fname, '%') or ".
       "last_name  like concat('%', :lname, '%')";
$stmt= $DBH->prepare($sql);
$stmt->bindValue(':fname', $string, PDO::PARAM_STR);
$stmt->bindValue(':lname', $string, PDO::PARAM_STR);

---

$sql = "select * from $table ".
       "where "
       "first_name like concat('%', ?, '%') or ".
       "last_name  like concat('%', ?, '%')";
$stmt= $DBH->prepare($sql);
$stmt->bindValue(1, $string, PDO::PARAM_STR);
$stmt->bindValue(2, $string, PDO::PARAM_STR);

---

By the way, the existing way you have done still has SQL injection issues.