kalster Posted January 4, 2015 Share Posted January 4, 2015 (edited) is this select query code safe from injection? try { $stmt = $db->prepare("SELECT * FROM posts WHERE key=$key"); $stmt->execute(); $row = $stmt->fetch(); } notice there is no bind. $stmt->bindParam(':key', $key); the reason i am asking is that i have many $key variable in the query and i do not know how to use bind in a query such as this... SELECT count(*) FROM posts WHERE MATCH (file) AGAINST ('$key' IN BOOLEAN MODE) OR MATCH (user) AGAINST ('$key' IN BOOLEAN MODE) the $key is not an array and the $key does not change it's value. Edited January 4, 2015 by kalster Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/ Share on other sites More sharing options...
mac_gyver Posted January 4, 2015 Share Posted January 4, 2015 from your previous thread - each place-holder can only appear once in a query, with a bind statement for each. you would need to use something like :words1, :words2 but bind the same variable to each. Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/#findComment-1501754 Share on other sites More sharing options...
kalster Posted January 5, 2015 Author Share Posted January 5, 2015 yes, i understand the place-holders. but the place-holders code cannot be manually done. :words1, :words2, needs to be from an php array, if possiable. then $stmt->bindParam(':array', $key), as an example. Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/#findComment-1501757 Share on other sites More sharing options...
CroNiX Posted January 5, 2015 Share Posted January 5, 2015 You can always do a foreach() loop on the array to build the $stmt->bindParam()'s Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/#findComment-1501758 Share on other sites More sharing options...
kalster Posted January 5, 2015 Author Share Posted January 5, 2015 yes, but how to insert :word1, :word2, ect, in the sql query and first parameter of bindParam? Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/#findComment-1501761 Share on other sites More sharing options...
Solution mac_gyver Posted January 5, 2015 Solution Share Posted January 5, 2015 this may actually be a good place to use a ? place-holder rather than a named one so that you don't need to generate anything special in the sql query syntax. you would only need to know the range of integer numbered indexes they are in the bind statement. Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/#findComment-1501763 Share on other sites More sharing options...
kalster Posted January 5, 2015 Author Share Posted January 5, 2015 That cannot work because how many "?" is undetermined and the range is not known. the range can be anything from one onward. the query is "SELECT". is "select" safe from injection when not using a bindParam? Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/#findComment-1501770 Share on other sites More sharing options...
mac_gyver Posted January 5, 2015 Share Posted January 5, 2015 if you are dynamically building the query, you would just add one element to a $param array for each place holder. if you have a bunch of statically written queries, you would build the $param array to match the place holders in each query.i/we don't see what problem you are having applying this to your code since you haven't shown us any actual code/context. $key = "+some +keywords -here"; // a sample boolean mode query string that's been input to your code // the params array for a query that has 3 place holders - :key1, :key2, :key3 $params = array(':key1'=>$key, ':key2'=>$key, ':key3'=>$key); // note this is also of the format that you could use $stmt->execute($params) // bind the parameters foreach($params as $k=>$v){ $stmt->bindParam($k, $v); } Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/#findComment-1501771 Share on other sites More sharing options...
kalster Posted January 5, 2015 Author Share Posted January 5, 2015 with php, I think i can get the total count of $key from an array that is used in implode(). if not, then i will try your code. i will let you know tomorrow if the code works. Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/#findComment-1501772 Share on other sites More sharing options...
kalster Posted January 6, 2015 Author Share Posted January 6, 2015 The ? place-holder worked with a php for loop at bindParam. Quote Link to comment https://forums.phpfreaks.com/topic/293662-pdo-mysql-code-safe-from-injection/#findComment-1501875 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.