We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Converting this into prepared statements and executing it?

I have this original sql in my file:

$sql =  "SELECT id FROM tags_standard WHERE name SOUNDS LIKE '" . $q . "'";
$result = new Resultset(null, $this,
    $this->getReadConnection()->query($sql, array()));

I know I should do prepare statement but I am not sure how to bind the param or how to execute it, so far I have this:

 $di = \Phalcon\DI::getDefault();
 $db = $di->get('db');
 $sql = $db->prepare("SELECT id FROM tags_standard WHERE name SOUNDS LIKE '" . $q . "'");

Can anyone help me out?

edited Aug '15

This can help you to solve yout question

https://docs.phalcon.io/en/latest/reference/models.html#initializing-preparing-fetched-records

  $name           = 'Artichoke';
  $price          = 10.5;
  $active         = 'Y';
  $productTypesId = 1;

  $sql = 'INSERT INTO products VALUES (null, :productTypesId, :name, :price, :active)';
  $sth = $dbh->prepare($sql);

  $sth->bindParam(':productTypesId', $productTypesId, PDO::PARAM_INT);
  $sth->bindParam(':name', $name, PDO::PARAM_STR, 70);
  $sth->bindParam(':price', doubleval($price));
  $sth->bindParam(':active', $active, PDO::PARAM_STR, 1);

  $sth->execute();
edited Aug '15

Thanks for the help. I am more concerned about how to do SOUND LIKE in binding params.

edited Aug '15

This way:

$sql =  "SELECT id FROM tags_standard WHERE name SOUNDS LIKE :q";
$result = new Resultset(null, $this, $this->getReadConnection()->query($sql, array('q' => $q)));
edited Aug '15

Oh I see. Thanks alot. But with this I still can't use prepare statement on it because prepare statement gives you an object. Or do you mean that if I bind my parameters like this I don't need to use prepare statement?

This way:

$sql =  "SELECT id FROM tags_standard WHERE name SOUNDS LIKE :q";
$result = new Resultset(null, $this, $this->getReadConnection()->query($sql, array('q' => $q)));

It automatically prepares the SQL statement

I see ok thanks.