v5:userguide:learn_bind:portability
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revisionLast revisionBoth sides next revision | ||
v5:userguide:learn_bind:portability [2016/03/23 01:54] – created mnewnham | v5:userguide:learn_bind:portability [2018/07/14 01:00] – [Hardening SQL Statements Against Injection Attacks] mnewnham | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | <- v5: | + | <- v5: |
~~NOTOC~~ | ~~NOTOC~~ | ||
Line 10: | Line 10: | ||
$col1Ph = $db-> | $col1Ph = $db-> | ||
$col2Ph = $db-> | $col2Ph = $db-> | ||
- | $col2Ph | + | $col3Ph |
- | $sql = " | + | $sql = " |
+ | | ||
+ | | ||
+ | | ||
$result = $db-> | $result = $db-> | ||
</ | </ | ||
- | In the above example, you can see that it is necessary to obtain a unique placeholder for each bind variable. This is because in some databases, the placeholder is uniquely associated with the column. So in the above example would appear as follows: | + | In the above example, you can see that it is necessary to obtain a unique placeholder for each bind variable. This is because in some databases, the placeholder is uniquely associated with the column. So the executed statement |
==== MySQL ==== | ==== MySQL ==== | ||
SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=? | SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=? | ||
Line 26: | Line 29: | ||
===== Databases Without Bind Support ===== | ===== Databases Without Bind Support ===== | ||
You can still use the bind form of execute in ADOdb if the database does not support binding. In this case ADOdb simply rewrites the query statement for you back into the non-bind form. | You can still use the bind form of execute in ADOdb if the database does not support binding. In this case ADOdb simply rewrites the query statement for you back into the non-bind form. | ||
+ | |||
+ | ===== Hardening SQL Statements Against Injection Attacks ===== | ||
+ | In addition to portability, | ||
+ | |||
+ | The following code snippet is compatible across all databases supported by ADOdb | ||
+ | |||
+ | <code php> | ||
+ | |||
+ | $col1Ph = $db-> | ||
+ | $col2Ph = $db-> | ||
+ | $col3Ph = $db-> | ||
+ | |||
+ | |||
+ | $bindVars = array(' | ||
+ | ' | ||
+ | ' | ||
+ | |||
+ | |||
+ | $sql = " | ||
+ | WHERE col1=$col1Ph | ||
+ | AND col2=$col2ph | ||
+ | AND col3=$col3Ph"; | ||
+ | $result = $db-> | ||
+ | </ | ||
+ | Note that the order of the bind variables in $bindVars must match the order of insertion into the SQL statement. Some databases use $bindVars as an associative array, but some discard the indexes and use $bindVars as a numeric array. | ||
+ | |||
+ | **You should always perform sanity checks against data transmitted in from public facing websites.** | ||
+ |
v5/userguide/learn_bind/portability.txt · Last modified: 2020/12/30 21:29 by peterdd