Differences

This shows you the differences between two versions of the page.

--- v5:userguide:learn_bind:portability [2016/03/23 02:07] – [Bind Placeholders Across Databases] mnewnham
+++ v5:userguide:learn_bind:portability [2018/07/14 01:00] – [Hardening SQL Statements Against Injection Attacks] mnewnham
@@ Line 29: / Line 29: @@
 ===== Databases Without Bind Support =====
 You can still use the bind form of execute in ADOdb if the database does not support binding. In this case ADOdb simply rewrites the query statement for you back into the non-bind form.
+===== Hardening SQL Statements Against Injection Attacks =====
+In addition to portability, described above, you can use the method [[v5:reference:connection:addq|addQ()]] to ensure that special characters are escaped before use inside string variables.
+The following code snippet is compatible across all databases supported by ADOdb
+<code php>
+$col1Ph = $db->param('col1');
+$col2Ph = $db->param('col2');
+$col3Ph = $db->param('col3');
+$bindVars = array('col1'=>$db->addQ($someVariable),
+                  'col2'=>$db->addQ($someOtherVariable),
+                  'col3'=>$db->addQ($yetAnotherVariable));
+$sql = "SELECT * FROM some_table
+                WHERE col1=$col1Ph
+                  AND col2=$col2ph
+                  AND col3=$col3Ph";
+$result = $db->execute($sql,$bindVars);
+</code>
+Note that the order of the bind variables in $bindVars must match the order of insertion into the SQL statement. Some databases use $bindVars as an associative array, but some discard the indexes and use $bindVars as a numeric array.
+**You should always perform sanity checks against data transmitted in from public facing websites.**