pdo mysql, code safe from injection?

[kalster]

 is this select query code safe from injection?

try {
	$stmt = $db->prepare("SELECT * FROM posts WHERE key=$key");
	$stmt->execute();
	$row = $stmt->fetch();
} 

notice there is no bind.

$stmt->bindParam(':key', $key);

the reason i am asking is that i have many $key variable in the query and i do not know how to use bind in a query such as this...

SELECT count(*) FROM posts WHERE MATCH (file) AGAINST 
('$key' IN BOOLEAN MODE) OR MATCH (user) AGAINST ('$key' IN BOOLEAN MODE)

the $key is not an array and the $key does not change it's value.

[mac_gyver]

from your previous thread -

each place-holder can only appear once in a query, with a bind statement for each. you would need to use something like :words1, :words2 but bind the same variable to each.

[kalster]

yes, i understand the place-holders. but the place-holders code cannot be manually done.  :words1, :words2, needs to be from an php array, if possiable. then $stmt->bindParam(':array', $key),  as an example.

[CroNiX]

You can always do a foreach() loop on the array to build the $stmt->bindParam()'s

[kalster]

yes, but how to insert :word1, :word2, ect, in the sql query and first parameter of bindParam?

[mac_gyver]

this may actually be a good place to use a ? place-holder rather than a named one so that you don't need to generate anything special in the sql query syntax. you would only need to know the range of integer numbered indexes they are in the bind statement.

[kalster]

That cannot work because how many "?" is undetermined and the range is not known. the range can be anything from one onward.

 

the query is "SELECT". is "select" safe from injection when not using a bindParam?

[mac_gyver]

if you are dynamically building the query, you would just add one element to a $param array for each place holder. if you have a bunch of statically written queries, you would build the $param array to match the place holders in each query.

i/we don't see what problem you are having applying this to your code since you haven't shown us any actual code/context.

$key = "+some +keywords -here"; // a sample boolean mode query string that's been input to your code

// the params array for a query that has 3 place holders - :key1, :key2, :key3
$params = array(':key1'=>$key, ':key2'=>$key, ':key3'=>$key); // note this is also of the format that you could use $stmt->execute($params)

// bind the parameters
foreach($params as $k=>$v){
  $stmt->bindParam($k, $v);
}

[kalster]

with php, I think i can get the total count of $key from an array that is used in implode(). if not, then i will try your code. i will let you know tomorrow if the code works.

[kalster]

The ? place-holder worked with a php for loop at bindParam.