I am using PDO and PHP and stopping injection, all the prepared queries on the internet have one table. This is one that I did that is right: stmt = $dbo->prepare('UPDATE products SET ProductName = :ProductName, ProductDescription = :ProductDescription , ProductCost = :ProductCost , ProductQuantity = :ProductQuantity WHERE ProductID = 3'); $stmt->execute(['ProductName' => $var1, 'ProductDescription' => $var2, 'ProductCost' => $var3, 'ProductQuantity' => $var4]); Code (markup): When there are two tables with an INNER JOIN I don't know how to do it: $q1 = "SELECT * FROM products INNER JOIN keywords on keywords.keywordID = products.KeywordID and keywords.KeyWord1 = \"$keyword\" "; Code (markup): Thank you, Josheir
You're probably overthinking it given the example you've already got working. Try this $q1 = "SELECT * FROM products INNER JOIN keywords on keywords.keywordID = products.KeywordID and keywords.KeyWord1 = :keyword "; $stmt->prepare($q1); $stmt->execute(['keyword' => 'puppies']); Code (markup):
Why is there no need for table_name.column to have any :data ? I am trying to prepare against injection.
INNER JOIN keywords on keywords.keywordID = products.KeywordID You mean inside the join? You're not passing anything down to the database for that, you're just giving instructions to match the content that already exists.