ADOdb

Database Abstraction Layer for PHP

User Tools

Site Tools

Trace:
v5:userguide:learn_bind:portability

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
v5:userguide:learn_bind:portability [2017/05/17 20:24] mnewnhamv5:userguide:learn_bind:portability [2020/12/30 21:29] (current) – fix variables peterdd
Line 14: Line 14:
 $sql = "SELECT * FROM some_table  $sql = "SELECT * FROM some_table 
                 WHERE col1=$col1Ph                  WHERE col1=$col1Ph 
-                  AND col2=$col2ph +                  AND col2=$col2Ph 
                   AND col3=$col3Ph";                   AND col3=$col3Ph";
-$result = $db->execute($sql,$bindVars);+$result = $db->execute($sql, $bindVars);
 </code> </code>
  
Line 31: Line 31:
  
 ===== Hardening SQL Statements Against Injection Attacks ===== ===== Hardening SQL Statements Against Injection Attacks =====
-In addition to portability, described above, you can use the method [v5:reference:connection:addq|addQ()]] to ensure that special characters are escaped before use inside string variables.+In addition to portability, described above, you can use the method [[v5:reference:connection:addq|addQ()]] to ensure that special characters are escaped before use inside string variables. 
 + 
 +The following code snippet is compatible across all databases supported by ADOdb 
 <code php> <code php>
-$bindVars = array($db->addQ($someVariable), 
-                  $db->addQ($someOtherVariable), 
-                  $db->addQ($yetAnotherVariable)); 
  
 $col1Ph = $db->param('col1'); $col1Ph = $db->param('col1');
 $col2Ph = $db->param('col2'); $col2Ph = $db->param('col2');
 $col3Ph = $db->param('col3'); $col3Ph = $db->param('col3');
 +
 +
 +$bindVars = array('col1'=>$db->addQ($someVariable),
 +                  'col2'=>$db->addQ($someOtherVariable),
 +                  'col3'=>$db->addQ($yetAnotherVariable));
 +
  
 $sql = "SELECT * FROM some_table  $sql = "SELECT * FROM some_table 
                 WHERE col1=$col1Ph                  WHERE col1=$col1Ph 
-                  AND col2=$col2ph +                  AND col2=$col2Ph 
                   AND col3=$col3Ph";                   AND col3=$col3Ph";
-$result = $db->execute($sql,$bindVars); +$result = $db->execute($sql, $bindVars); 
-<code>+</code> 
 +Note that the order of the bind variables in $bindVars must match the order of insertion into the SQL statement. Some databases use $bindVars as an associative array, but some discard the indexes and use $bindVars as a numeric array. 
 **You should always perform sanity checks against data transmitted in from public facing websites.** **You should always perform sanity checks against data transmitted in from public facing websites.**
  
v5/userguide/learn_bind/portability.1495045473.txt.gz · Last modified: 2017/05/17 20:24 by mnewnham