"Nathan Nobbe" <quickshiftin@xxxxxxxxx> wrote in message news:7dd2dc0b0901221048g2f089cf9s36ecb9a5b35ab418@xxxxxxxxxxxxxxxxx > > yeah, id try call_user_func_array(), > > omit the line to create a string out of the $params, then merge the later > arguments into an array w/ the first 2 args > > #$params = implode(", ", $params); > $check = call_user_func_array('mysqli_stmt_bind_param', > array_merge(array($stmt, $ptype), $params)); > > something like that i think should do the trick. > > -nathan > Ok. I only had to make minimal chnages to the offered solution...highlighted below...I would still appreciate anyone letting me know if my understanding of call_user_func_array() is incorrect though. :) Thanks everyone! Frank ------------ //put the string fields directly in as we will be preparing the sql statment //and that will protect us from injection attempts if($continue){ foreach($stringfields as $value){ $FILTERED[$value] = $_POST[$value]; }; }; //ok...we've made it this far, so let's start building that update query! $vartype = ''; if($continue){ //start building the SQL statement to update the bol table $sqlstring = "UPDATE bol SET"; //initialize a variable to let us know this is the first time through on //the SET construction $i = true; //step through all the FILTERED values to build the SET statment //and accompanying bind statment foreach($FILTERED as $key=>$value){ //make sure we don't put a comma in the first time through if($i){ $sqlstring .= " $key = ?"; $i = false; }else{ $sqlstring .= ", $key = ?"; }; //build the list of types for use durring the mysqli perepared statments switch($key){ case in_array($key, $stringfields): $ptype[] = 's'; break; case in_array($key, $doublefields): $ptype[] = 'd'; break; default: $ptype[] = 'i'; }; }; //make sure we only update the row we are working on $sqlstring .= ' WHERE BoL=' . $FILTERED['BoL']; //connect to the db include('c:\inetpub\security\connection.php'); //ok...let's do this query //use mysqli so we can use a prepared statment and avoid sql insert attacks $stmt = mysqli_prepare($iuserConnect, $sqlstring); if(!$stmt){ die(mysqli_stmt_error($stmt)); }; //implode the field types so that we have a useable string for the bind $ptype = implode('', $ptype); <----------------------------------------------------------------> <----- I completely did away with the $param and inserted ------> <----- $FILTERED directly and everything worked great! ------> <----------------------------------------------------------------> //bind the variables using a call to call_user_func_array to put all the //$FILTERED variables in $check = call_user_func_array('mysqli_stmt_bind_param', array_merge(array($stmt, $ptype), $FILTERED)); if(!$check){ die(mysqli_stmt_error($stmt) . '<br><br>'); }; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php