Use one bind_param() with variable number of input vars

I try to use variable binding like this:

$stmt = $mysqli->prepare("UPDATE mytable SET myvar1=?, myvar2=... WHERE id = ?")) {
$stmt->bind_param("ss...", $_POST['myvar1'], $_POST['myvar2']...);

but some of the $_POST['...'] might be empty so I don't want to update them in the DB.

It's not practical to take into account all the different combination of empty $_POST['...'] and although I can build the string " UPDATE mytable SET..." to my needs, bind_param() is a different beast.

I could try building its call as a string and use eval() on it but it doesn't feel right :(


Solution 1:

You could use the call_user_func_array function to call the bind_param method with a variable number or arguments:

$paramNames = array('myvar1', 'myvar2', /* ... */);
$params = array();
foreach ($paramNames as $name) {
    if (isset($_POST[$name]) && $_POST[$name] != '') {
        $params[$name] = $_POST[$name];
    }
}
if (count($params)) {
    $query = 'UPDATE mytable SET ';
    foreach ($params as $name => $val) {
        $query .= $name.'=?,';
    }
    $query = substr($query, 0, -1);
    $query .= 'WHERE id = ?';
    $stmt = $mysqli->prepare($query);
    $params = array_merge(array(str_repeat('s', count($params))), array_values($params));
    call_user_func_array(array(&$stmt, 'bind_param'), $params);
}

Solution 2:

This is what I use to do mysqli prepared statements with a variable amount of params. It's part of a class I wrote. It propably is overkill for what you need but it should show you the right direction.

public function __construct($con, $query){
    $this->con = $con;
    $this->query = $query;
    parent::__construct($con, $query);
    //We check for errors:
    if($this->con->error) throw new Exception($this->con->error);
}

protected static $allowed = array('d', 'i', 's', 'b'); //allowed types

protected static function mysqliContentType($value) {
    if(is_string($value)) $type = 's';
    elseif(is_float($value)) $type = 'd';
    elseif(is_int($value)) $type = 'i';
    else throw new Exception("type of '$value' is not string, int or float");
    return $type;
}

//This function checks if a given string is an allowed mysqli content type for prepared statement (s, d, b, or i)
protected static function mysqliAllowedContentType($s){
    return in_array($s, self::$allowed);
}

public function feed($params){
    //These should all be empty in case this gets used multiple times
    $this->paramArgs = array();
    $this->typestring = '';
    $this->params = $params;
    $this->paramArgs[0] = '';
    $i = 0;
    foreach($this->params as $value){
        //We check the type:
        if(is_array($value)){
            $temp = array_keys($value);
            $type = $temp[0];
            $this->params[$i] = $value[$type];
            if(!self::mysqliAllowedContentType($type)){
                $type = self::mysqliContentType($value[$type]);
            }
        }
        else{
            $type = self::mysqliContentType($value);
        }
        $this->typestring .= $type;
        //We build the array of values we pass to the bind_params function
        //We add a refrence to the value of the array to the array we will pass to the call_user_func_array function. Thus say we have the following
        //$this->params array:
            //$this->params[0] = 'foo';
            //$this->params[1] = 4;
        //$this->paramArgs will become: 
            //$this->paramArgs[0] = 'si'; //Typestring
            //$this->paramArgs[1] = &$this->params[0];
            //$this->paramArgs[2] = &$this->params[1].
        //Thus using call_user_func_array will call $this->bind_param() (which is inherented from the mysqli_stmt class) like this:
            //$this->bind_param( 'si', &$this->params[0], &$this->params[1] );
        $this->paramArgs[] = &$this->params[$i];
        $i++;
    }
    unset($i);
    $this->paramArgs[0] = $this->typestring;
    return call_user_func_array(array(&$this, 'bind_param'), $this->paramArgs);
}

You use it like this:

 $prep = new theClassAboveHere( $mysqli, $query );
 $prep->feed( array('string', 1, array('b', 'BLOB DATA') );

The class should extend the mysqli_stmt class.

I hope this helps you in the right direction.
If you wan't I could also post the whole class, it includes variable results binding.

Solution 3:

It is marginally more clear to build your statement using an array:

$params = array();
$fragments = array();
foreach($_POST as $col => $val)
{
  $fragments[] = "{$col} = ?";
  $params[] = $val;
}

$sql = sprintf("UPDATE sometable SET %s", implode(", ", $fragments));
$stmt = $mysqli->prepare($sql);
$stmt->bind_param($params);