However, I'm not sure what's getting sent to my prepared statement in the ?s, or how to display it in one of my views with the appropriate values in it (to make sure it's not doing something lame like "WHERE name like '%'big'%').
Any help would be appreciated.
Code: Select all
protected function getBy($type, $val)
{
//check/clean/scrub $type and $val first
$params = array($type, strtolower($val));
$sql = "SELECT name, address, city, state, zip_code, phone, fax " .
"FROM dealers " .
"WHERE ? like '%?%'";
$stmt = $db->query($sql, $params);
$dealers = $stmt->fetchAll();
return $dealers;
}