ADOdb

Database Abstraction Layer for PHP

User Tools

Site Tools

Trace: Creating A New Driver createIndexSql getInsertSql Connecting to Multiple Databases Memcached Setup
v5:userguide:learn_bind:portability

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
v5:userguide:learn_bind:portability [2017/05/17 20:26] – [Hardening SQL Statements Against Injection Attacks] mnewnhamv5:userguide:learn_bind:portability [2020/12/30 21:29] (current) – fix variables peterdd
Line 14: Line 14:
 $sql = "SELECT * FROM some_table  $sql = "SELECT * FROM some_table 
                 WHERE col1=$col1Ph                  WHERE col1=$col1Ph 
-                  AND col2=$col2ph +                  AND col2=$col2Ph 
                   AND col3=$col3Ph";                   AND col3=$col3Ph";
-$result = $db->execute($sql,$bindVars);+$result = $db->execute($sql, $bindVars);
 </code> </code>
  
Line 32: Line 32:
 ===== Hardening SQL Statements Against Injection Attacks ===== ===== Hardening SQL Statements Against Injection Attacks =====
 In addition to portability, described above, you can use the method [[v5:reference:connection:addq|addQ()]] to ensure that special characters are escaped before use inside string variables. In addition to portability, described above, you can use the method [[v5:reference:connection:addq|addQ()]] to ensure that special characters are escaped before use inside string variables.
 +
 +The following code snippet is compatible across all databases supported by ADOdb
  
 <code php> <code php>
-$bindVars = array($db->addQ($someVariable), 
-                  $db->addQ($someOtherVariable), 
-                  $db->addQ($yetAnotherVariable)); 
  
 $col1Ph = $db->param('col1'); $col1Ph = $db->param('col1');
 $col2Ph = $db->param('col2'); $col2Ph = $db->param('col2');
 $col3Ph = $db->param('col3'); $col3Ph = $db->param('col3');
 +
 +
 +$bindVars = array('col1'=>$db->addQ($someVariable),
 +                  'col2'=>$db->addQ($someOtherVariable),
 +                  'col3'=>$db->addQ($yetAnotherVariable));
 +
  
 $sql = "SELECT * FROM some_table  $sql = "SELECT * FROM some_table 
                 WHERE col1=$col1Ph                  WHERE col1=$col1Ph 
-                  AND col2=$col2ph +                  AND col2=$col2Ph 
                   AND col3=$col3Ph";                   AND col3=$col3Ph";
-$result = $db->execute($sql,$bindVars);+$result = $db->execute($sql, $bindVars);
 </code> </code>
 +Note that the order of the bind variables in $bindVars must match the order of insertion into the SQL statement. Some databases use $bindVars as an associative array, but some discard the indexes and use $bindVars as a numeric array.
 +
 **You should always perform sanity checks against data transmitted in from public facing websites.** **You should always perform sanity checks against data transmitted in from public facing websites.**
  
v5/userguide/learn_bind/portability.1495045575.txt.gz · Last modified: by mnewnham