ADOdb

Database Abstraction Layer for PHP

User Tools

Site Tools


v5:userguide:learn_bind:portability

Bind Placeholders Across Databases

Bind placeholders vary from one database to another, so ADOdb provides a method param() that returns a database specific placeholder. Using the above example, we can write it as a portable statement:

$bindVars = array('A','B','C');
 
$col1Ph = $db->param('col1');
$col2Ph = $db->param('col2');
$col3Ph = $db->param('col3');
 
$sql = "SELECT * FROM some_table 
                WHERE col1=$col1Ph 
                  AND col2=$col2Ph 
                  AND col3=$col3Ph";
$result = $db->execute($sql, $bindVars);

In the above example, you can see that it is necessary to obtain a unique placeholder for each bind variable. This is because in some databases, the placeholder is uniquely associated with the column. So the executed statement in the above example would appear as follows:

MySQL

SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?

Oracle

SELECT * FROM some_table WHERE col1=:col1 AND col2=:col2 AND col3=:col3

PostgreSQL

SELECT * FROM some_table WHERE col1=$1 AND col2=$2 AND col3=$3

Databases Without Bind Support

You can still use the bind form of execute in ADOdb if the database does not support binding. In this case ADOdb simply rewrites the query statement for you back into the non-bind form.

Hardening SQL Statements Against Injection Attacks

In addition to portability, described above, you can use the method addQ() to ensure that special characters are escaped before use inside string variables.

The following code snippet is compatible across all databases supported by ADOdb

$col1Ph = $db->param('col1');
$col2Ph = $db->param('col2');
$col3Ph = $db->param('col3');
 
 
$bindVars = array('col1'=>$db->addQ($someVariable),
                  'col2'=>$db->addQ($someOtherVariable),
                  'col3'=>$db->addQ($yetAnotherVariable));
 
 
$sql = "SELECT * FROM some_table 
                WHERE col1=$col1Ph 
                  AND col2=$col2Ph 
                  AND col3=$col3Ph";
$result = $db->execute($sql, $bindVars);

Note that the order of the bind variables in $bindVars must match the order of insertion into the SQL statement. Some databases use $bindVars as an associative array, but some discard the indexes and use $bindVars as a numeric array.

You should always perform sanity checks against data transmitted in from public facing websites.

v5/userguide/learn_bind/portability.txt · Last modified: 2020/12/30 21:29 by peterdd