Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP PHP & Databases with PDO PDO Database Security Filter Input, Escape Output

Gianni Zamora
Gianni Zamora
9,547 Points
Posted by Gianni Zamora
Gianni Zamora
9,547 Points

call to a member function bindParam() on a non-object in ... on line 16

So I have been working on a personal side project with exactly the similar setup in the php and database series. I am correct up until the point where I have to bind my Param. It is giving me the error listed above. ill input the code

<?php
include('php/contact-form.php');
include('config.php');
$pdo = connect();

if(!empty($_GET['id'])){
    $list_id = intval(($_GET['id']));
}

try {
$sql = 'SELECT * FROM items where id = ?';
$sql->bindParam(1, $list_id);
$query = $pdo->prepare($sql);
$query->execute();
} catch(Exception $e) {
    echo $e->getMessage();
    die();
}
$list = $query->fetch(PDO::FETCH_ASSOC);
?>

1 Answer

Hugo Paz
Hugo Paz
15,622 Points
Hugo Paz
Hugo Paz
15,622 Points

Hi Gianni, $sql is not an pdo pbject, its is a string, this is why you are getting that error.

Try this:

$sql = 'SELECT * FROM items where id = ?';
$query = $pdo->prepare($sql);
$query->bindParam(1, $list_id);
$query->execute();
Viki Pattanaik
Viki Pattanaik
6,314 Points
Viki Pattanaik
Viki Pattanaik
6,314 Points

Well caught Hugo and to add to what you said, another reason why Gianni is getting the error message is because he has called bindParam PDOStatement method before declaring a PDOStatement object which only happens when you invoke the prepare() method. So the prepare() method makes a new instance of a PDOStatement that you can bind values or parameters to before executing the query.

In other words, two reasons why the code block generates a fatal error:

  1. The bindParam is called on a string and not a PDOStatement object.
  2. The bindParam is called before initiation of the PDOStatement::prepare() method.

Hugo's code block will work perfectly as it avoids both the above problems.