PDO query problem

elemelas

Does anyone have an idea what is wrong in that query:

$perpage = 8;
$query = $conn->prepare('SELECT id FROM profiles ORDER BY date DESC LIMIT 0,:perpage');
$query -> bindValue(':perpage', $perpage);
$query -> execute();

it's working fine when I'll put 8 instead of :perpage after LIMIT 0, but I want to be able to give user a chance to change number of entries perpage. any help would be appreciated

NogDog

I think (but am not sure) that PDO prepared statements can only use place-holders for column values, not for any arbitrary part of the query string.

elemelas

really ? that would be a great disadvantage ...

does anyone have an idea if that's true ?

if it's really true, how can I then protect the DB from sql injection other than with PDO, is mysql_real_escape_string enough ? but, at the same time, making separate mysql connection (not-PDO) just for that one query seems a bit weird for me .. what you guys think ?

NogDog

If I'm right (and I am not at all sure: I normally use the MySQLi interface, not PDO [or the CodeIgniter ActiveRecord interface]), in this particular case you can simply cast the value to integer.

$query = $conn->prepare('SELECT id FROM profiles ORDER BY date DESC LIMIT 0, ' .
   (int) $perpage);