Differences

This shows you the differences between two versions of the page.

--- v5:userguide:learn_bind:portability [2017/05/17 20:26] – [Hardening SQL Statements Against Injection Attacks] mnewnham
+++ v5:userguide:learn_bind:portability [2020/12/30 21:29] (current) – fix variables peterdd
@@ Line 14: / Line 14: @@
 $sql = "SELECT * FROM some_table
                 WHERE col1=$col1Ph
-                  AND col2=$col2ph
+                  AND col2=$col2Ph
                   AND col3=$col3Ph";
-$result = $db->execute($sql,$bindVars);
+$result = $db->execute($sql, $bindVars);
 </code>
@@ Line 32: / Line 32: @@
 ===== Hardening SQL Statements Against Injection Attacks =====
 In addition to portability, described above, you can use the method [[v5:reference:connection:addq|addQ()]] to ensure that special characters are escaped before use inside string variables.
+The following code snippet is compatible across all databases supported by ADOdb
 <code php>
-$bindVars = array($db->addQ($someVariable),
-                  $db->addQ($someOtherVariable),
-                  $db->addQ($yetAnotherVariable));
 $col1Ph = $db->param('col1');
 $col2Ph = $db->param('col2');
 $col3Ph = $db->param('col3');
+$bindVars = array('col1'=>$db->addQ($someVariable),
+                  'col2'=>$db->addQ($someOtherVariable),
+                  'col3'=>$db->addQ($yetAnotherVariable));
 $sql = "SELECT * FROM some_table
                 WHERE col1=$col1Ph
-                  AND col2=$col2ph
+                  AND col2=$col2Ph
                   AND col3=$col3Ph";
-$result = $db->execute($sql,$bindVars);
+$result = $db->execute($sql, $bindVars);
 </code>
+Note that the order of the bind variables in $bindVars must match the order of insertion into the SQL statement. Some databases use $bindVars as an associative array, but some discard the indexes and use $bindVars as a numeric array.
 **You should always perform sanity checks against data transmitted in from public facing websites.**