ADOdb

Database Abstraction Layer for PHP

User Tools

Site Tools

Trace:
v5:userguide:learn_bind:portability

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
v5:userguide:learn_bind:portability [2016/03/23 02:06] – [Bind Placeholders Across Databases] mnewnhamv5:userguide:learn_bind:portability [2020/12/30 21:29] (current) – fix variables peterdd
Line 10: Line 10:
 $col1Ph = $db->param('col1'); $col1Ph = $db->param('col1');
 $col2Ph = $db->param('col2'); $col2Ph = $db->param('col2');
-$col2Ph = $db->param('col3');+$col3Ph = $db->param('col3');
  
 $sql = "SELECT * FROM some_table  $sql = "SELECT * FROM some_table 
                 WHERE col1=$col1Ph                  WHERE col1=$col1Ph 
-                  AND col2=$col2ph  +                  AND col2=$col2Ph  
-                  AND col3=$colPh"; +                  AND col3=$col3Ph"; 
-$result = $db->execute($sql,$bindVars);+$result = $db->execute($sql, $bindVars);
 </code> </code>
  
-In the above example, you can see that it is necessary to obtain a unique placeholder for each bind variable. This is because in some databases, the placeholder is uniquely associated with the column. So in the above example would appear as follows:+In the above example, you can see that it is necessary to obtain a unique placeholder for each bind variable. This is because in some databases, the placeholder is uniquely associated with the column. So the executed statement in the above example would appear as follows:
 ==== MySQL ==== ==== MySQL ====
   SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?   SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?
Line 29: Line 29:
 ===== Databases Without Bind Support ===== ===== Databases Without Bind Support =====
 You can still use the bind form of execute in ADOdb if the database does not support binding. In this case ADOdb simply rewrites the query statement for you back into the non-bind form. You can still use the bind form of execute in ADOdb if the database does not support binding. In this case ADOdb simply rewrites the query statement for you back into the non-bind form.
 +
 +===== Hardening SQL Statements Against Injection Attacks =====
 +In addition to portability, described above, you can use the method [[v5:reference:connection:addq|addQ()]] to ensure that special characters are escaped before use inside string variables.
 +
 +The following code snippet is compatible across all databases supported by ADOdb
 +
 +<code php>
 +
 +$col1Ph = $db->param('col1');
 +$col2Ph = $db->param('col2');
 +$col3Ph = $db->param('col3');
 +
 +
 +$bindVars = array('col1'=>$db->addQ($someVariable),
 +                  'col2'=>$db->addQ($someOtherVariable),
 +                  'col3'=>$db->addQ($yetAnotherVariable));
 +
 +
 +$sql = "SELECT * FROM some_table 
 +                WHERE col1=$col1Ph 
 +                  AND col2=$col2Ph 
 +                  AND col3=$col3Ph";
 +$result = $db->execute($sql, $bindVars);
 +</code>
 +Note that the order of the bind variables in $bindVars must match the order of insertion into the SQL statement. Some databases use $bindVars as an associative array, but some discard the indexes and use $bindVars as a numeric array.
 +
 +**You should always perform sanity checks against data transmitted in from public facing websites.**
 +
v5/userguide/learn_bind/portability.1458695210.txt.gz · Last modified: 2017/04/21 11:40 (external edit)