php - Warning: PDO::prepare() expects parameter 1 to be string, object given -

php - Warning: PDO::prepare() expects parameter 1 to be string, object given -

i have been trying convert old mysql pdo trying larn how pdo works, have been working on 1 file hours busting head , can not figure out wrong, , i'm sure lot.

try{ $check_user_data = $dbh->query("select * members username = '$username'"); $stmt = $dbh->prepare($check_user_data); $stmt->execute(); $result->bind_result($username); $data_exists = ($check_user_data->fetchcolumn() > 0) ? true : false; if($data_exists = false){ $final_report.="this username not exist.."; }else{ $get_user_data = $stmt->fetch(pdo::fetch_assoc); if($get_user_data['password'] == $password){ $start_idsess = $_session['username'] = "".$get_user_data['username'].""; $start_passsess = $_session['password'] = "".$get_user_data['password'].""; $final_report.="you logged in, please wait few moments.. <meta http-equiv='refresh' content='2; url=members.php'/>"; } } foreach ($dbh->query($sql) $row){ } $dbh = null; } catch(pdoexception $e){ echo $e->getmessage(); }

also getting fatal

class="lang-none prettyprint-override">fatal error: phone call fellow member function execute() on non-object

not sure if fatal related warning or not.

first, alter these 2 lines:

$check_user_data = $dbh->query("select * members username = '$username'"); $stmt = $dbh->prepare($check_user_data);

to:

$stmt = $dbh->prepare("select * members username = :username"); $stmt->bindparam(':username', $username);

this makes utilize of parameter feature of prepared statements, prevents sql injection.

next, pdo doesn't have bind_result method, that's part of mysqli. results, should do:

$get_user_data = $stmt->fetch(pdo::fetch_assoc); $data_exists = ($get_user_data !== false);

you should remove phone call $stmt->fetch in else block, because seek next row of results.

php mysql pdo execute prepare