How to use prepare statements / bind values in a query in Joomla 3?

I'd like to know how to bind values in where clause. I have understood that is something that MUST be done for security reasons.

$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query
->select("*")
->from($db->quoteName("food"))
->where("taste = :taste")
->bind(':taste', 'sweet');
$db->setQuery($query);
$rows = $db->loadAssocList();

I'm getting this error:

> You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use
> near ':taste' at line 3 SQL=SELECT * FROM `food` WHERE taste = :taste

My code is based on [this post][1]. It said that in Joomla 3.1 only "*PDO/Sqlite and PDO/Oracle are supporting prepared statements*", I am using Joomla 3.2.1 and MySQL, and in my Joomla configuration MySQLi. Could be that the problem?

I am quite confused because I dont know what API / Class have to follow.

- [JDatabase for Joomla 3.x][2] **there is no bind method**, and the information is scant, seems like is not completed.
- [JDatabase for Joomla 2.5][3] has more information, but obviously is not my version. there is no bind method.
- [JDatabaseQuery for Joomla 3.x][4] there is no bind method
- [JDatabaseQuerySqlite for Joomla 3.x][5] **has** bind method
- [JDatabaseQueryPdo for Joomla 3.x][6] there is no bind method
- [JTable for Joomla 3.x][7] **has** bind method


Even I'm starting to doubt if I have to use JFactory::getDbo() to Select/Insert/Update/Delete data in Joomla DB.

Thanks in advance.

[1]:

[To see links please register here]

[2]:

[To see links please register here]

[3]:

[To see links please register here]

[4]:

[To see links please register here]

[5]:

[To see links please register here]

[6]:

[To see links please register here]

[7]:

[To see links please register here]

As far as I know, you **can't** use prepared statements nor bind values with Joomla.

If you read the Secure Coding Guideliness from the Joomla documentation (

[To see links please register here]

), they don't talk about prepared statements, only about using casting or quoting to avoid SQL injection.

In Joomla there is normally the `check()`, `bind()`, `store()` triple from JTable that prevents injection.

`JDatabaseQueryPreparable` has a bind method that you may want to look at. You may also want to look at the docblocks for `JDatabaseQueryLimitable`.

One thing I would suggest is that when you get that error, usually it is really because you do have a problem in your query (often wrong quoting or something being empty that needs not to be empty. To see your generated query you an use

`echo $query->dump();`

and then try running it directly in sql.

Also in general it's wise to use `$db->quote()` and `$db->quoteName()` if you are using the API that way you won't run into quoting problems. I think you may have a quoting problem but it's hard to know without knowing your field names.

From Joomla4, binding data to named parameters is possible with the `bind()` method. This has been asked for for many years and finally it has come to the CMS.

- Early reference in Joomla Docs:

[To see links please register here]

- Proper Joomla Documenation:

[To see links please register here]

- Here's a good tutorial:

[To see links please register here]

The syntax is precisely as prophecized in the snippet in the post

$taste = "sweet";

$db = JFactory::getDbo();
$query = $db->getQuery(true)
->select("*")
->from($db->quoteName("food"))
->where($db->quoteName("taste") . " = :taste")
->bind(":taste", $taste);
$db->setQuery($query);
$rows = $db->loadAssocList();