FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Clean PDO-MySQL Statement
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Clean PDO-MySQL Statement [message #177690 is a reply to message #177682] Fri, 13 April 2012 16:07 Go to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 4/13/2012 7:30 AM, Alexandra Herzog wrote:
> Hi everyone,
>
> I am using the PDO with MySQL for the first time and created a statement. Besides from individual input validation (which I always do), I would like to know, if you consider the following to be a clean statement:
>
> That's what I figured from googled examples:
>
> include ("pdoconnect.php");
> $stmt = $dbh->prepare("SELECT firstname, name FROM telephonebook WHERE from_work = :workstatus ORDER BY :mywish ASC");
> $stmt->bindParam(':workstatus', $n, PDO::PARAM_INT);
> $stmt->bindParam(':mywish', $value, PDO::PARAM_STR);
> $n = 1; $order = "firstname";
> $stmt->execute();
>
> echo "<u>".$stmt->rowCount()."</u>\r\n";
> while ($row = $stmt->fetch())
> echo $row['firstname']."&nbsp;".$row['name']."<br>";
> $stmt->closeCursor();
> $dbh = null;
>
>
> in pdoconnect.php:
> -----------------------
> try
> { $dbh = new PDO('mysql:host=host1.myhost.com;dbname=mydb1', alex, mypass);
> foreach ($dbh->query('SELECT * from FOO') as $row)
> { print_r($row); }
> }
> catch(PDOException $e)
> { print "Database connection error!<br/>";
> die();
> }
>
> I tried to prevent SQL injection methods by specifying PDO::PARAM*, and closing the statement and connection properly.
>
> Is this a correct example? Or should I improve something?
>
> Any hints greatly appreciated, since I am about to change all my scripts to this :-)
> Thanks, Alex

No, it will not work. You cannot use a bind parameter as a column name
(i.e. in the ORDER BY clause). You can only use it where you have a value.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Previous Topic: OOP versus Procedural/Functional
Next Topic: Prep. Statements only in mysql-i?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 07 23:25:29 GMT 2024

Total time taken to generate the page: 0.05281 seconds