5

PDO seems to add quotes to the bound parameters automatically in a prepared sql statement.

I do not want this functionality when I am trying to limit the number of results because this should be seen as an integer to mysql.

function fixStatistics($metal, $currency, $months){
$db = connectPDO();
$sql = '
        SELECT [COLUMN NAMES]
        FROM [TABLE NAMES]
        WHERE [WHERE STUFF]
        GROUP BY `Month`
        ORDER BY MONTH(DateStamp) LIMIT :numMonths
';

$stmt = $db->prepare($sql);
$stmt->execute(
        array(
        ':metal' => $metal,
        ':currency' => $currency,
        ':numMonths' => $months // Problem Code
    )
);
$statistics = $stmt->fetchAll(PDO::FETCH_ASSOC);
return $statistics;
}

I can resolve this issue by manually injecting / concatenating the sql statement - Not what I want to do.

ORDER BY MONTH(DateStamp) LIMIT ' . $numMonths

But is there a way of casting the :numMonths directly to an int at the point of $stmt->execute();?

Gravy
  • 11,826
  • 25
  • 119
  • 188

1 Answers1

5

from the docs about the execute array param:

An array of values with as many elements as there are bound parameters in the SQL statement being executed. All values are treated as PDO::PARAM_STR.

use something like this before execute:

$stmt->bindValue(':numMonths', intval($months), PDO::PARAM_INT);
x4rf41
  • 4,978
  • 1
  • 20
  • 31