ansaurus

Question

Understanding how to bind parameters and insert data in Adodb

Answer 1

A:

Using mysql_real_escape_string should do the trick too, it escapes the quotes automatically after which you can insert data into the database, consider this example:

$str = '<div id="test"><a href="#">Test string in db</a></div> string content';
$str_escaped = mysql_real_escape_string($str);

Now you can safely use the $str_escaped variable to insert data into the database. Furthermore, it is useful in preventing SQL injection attacks.

Sarfraz 2010-03-02 07:50:28

What? http://stackoverflow.com/questions/2353666/php-is-mysql-real-escape-string-sufficient-for-cleaning-user-input

jasonbar 2010-03-02 07:54:07

@jasonbar: could you be more specific?

Sarfraz 2010-03-02 07:57:33

I mean, you just argued that `mysql_real_escape_string()` is not sufficient for preventing SQL injections. Now it is? This also doesn't address the question.

jasonbar 2010-03-02 07:59:46

@jasonbar: i said "mysql_real_escape_string is not sufficient in all situations but it is definitely very good friend." you see i did not reject it totally, i said it is good too, it is a very good friend and then i said but prepared statements were **better**. Hope that clarifies.

Sarfraz 2010-03-02 08:01:57

@Sarfraz: He's actually using prepared statements here, though. I understand and agree with your position. Also, You have a typo "mysql-real-escape-string"

jasonbar 2010-03-02 08:10:37

@jasonbar: thanks for that type info, whatever, i don't think my answer is wrong, we are not comparing mysql_real and prepared statemen in this question. Thanks again :(

Sarfraz 2010-03-02 08:22:26

Answer 2

A:

I haven't used ADODB for a while but I believe this should work, no?

$str = '<div id="test"><a href="#">Test string in db</a></div> string content';
$rs = $db->Execute('select * from table where val=?', array($str));

Thorpe Obazee 2010-03-02 07:50:44

Answer 3

A:

The ?'s in the SQL serve as placeholders for values that are bound to the statement.

When executed, ADO is executing (given your example)

select * from table where val=10

You should be able to construct your insert SQL roughly as:

INSERT INTO `table` (`col1`, `col2` ...) VALUES(?, ? ...)

Passing in your values (in the correct order) will render the appropriate query.

jasonbar 2010-03-02 07:56:44

How would I do an UPDATE statement with binding? I currently have: "UPDATE x_ast_attr SET cust_val = '$attr' WHERE id='$this->assetid'"

Nic Hubbard 2010-03-04 05:03:18

Answer 4

A:

Adapted from the CodeIgniter framework:

function compile_binds($sql, $binds)
{
    if (strpos($sql, '?') === FALSE)
    {
        return $sql;
    }

    if ( ! is_array($binds))
    {
        $binds = array($binds);
    }

    // Get the sql segments around the bind markers
    $segments = explode('?', $sql);

    // The count of bind should be 1 less then the count of segments
    // If there are more bind arguments trim it down
    if (count($binds) >= count($segments)) {
        $binds = array_slice($binds, 0, count($segments)-1);
    }

    // Construct the binded query
    $result = $segments[0];
    $i = 0;
    foreach ($binds as $bind)
    {
        $result .= mysql_real_escape_string($bind);
        $result .= $segments[++$i];
    }

    return $result;
}

Then you could have a function:

function query($sql, $binds)
{
    return $db->Execute(compile_binds($sql, $binds));
}

$query = query('select * from table where val=?', array('10'));

fire 2010-03-02 08:56:02

ansaurus

tags:

views:

answers:

Understanding how to bind parameters and insert data in Adodb

related questions