Differences

This shows you the differences between two versions of the page.

--- v5:userguide:learn_bind:portability [2017/05/17 20:24] – mnewnham
+++ v5:userguide:learn_bind:portability [2018/07/14 01:00] – [Hardening SQL Statements Against Injection Attacks] mnewnham
@@ Line 31: / Line 31: @@
 ===== Hardening SQL Statements Against Injection Attacks =====
-In addition to portability, described above, you can use the method [v5:reference:connection:addq|addQ()]] to ensure that special characters are escaped before use inside string variables.
+In addition to portability, described above, you can use the method [[v5:reference:connection:addq|addQ()]] to ensure that special characters are escaped before use inside string variables.
+The following code snippet is compatible across all databases supported by ADOdb
 <code php>
-$bindVars = array($db->addQ($someVariable),
-                  $db->addQ($someOtherVariable),
-                  $db->addQ($yetAnotherVariable));
 $col1Ph = $db->param('col1');
 $col2Ph = $db->param('col2');
 $col3Ph = $db->param('col3');
+$bindVars = array('col1'=>$db->addQ($someVariable),
+                  'col2'=>$db->addQ($someOtherVariable),
+                  'col3'=>$db->addQ($yetAnotherVariable));
 $sql = "SELECT * FROM some_table
@@ Line 46: / Line 52: @@
                   AND col3=$col3Ph";
 $result = $db->execute($sql,$bindVars);
-<code>
+</code>
+Note that the order of the bind variables in $bindVars must match the order of insertion into the SQL statement. Some databases use $bindVars as an associative array, but some discard the indexes and use $bindVars as a numeric array.
 **You should always perform sanity checks against data transmitted in from public facing websites.**