Re: Clean PDO-MySQL Statement [message #177690 is a reply to message #177682] |
Fri, 13 April 2012 16:07 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 4/13/2012 7:30 AM, Alexandra Herzog wrote:
> Hi everyone,
>
> I am using the PDO with MySQL for the first time and created a statement. Besides from individual input validation (which I always do), I would like to know, if you consider the following to be a clean statement:
>
> That's what I figured from googled examples:
>
> include ("pdoconnect.php");
> $stmt = $dbh->prepare("SELECT firstname, name FROM telephonebook WHERE from_work = :workstatus ORDER BY :mywish ASC");
> $stmt->bindParam(':workstatus', $n, PDO::PARAM_INT);
> $stmt->bindParam(':mywish', $value, PDO::PARAM_STR);
> $n = 1; $order = "firstname";
> $stmt->execute();
>
> echo "<u>".$stmt->rowCount()."</u>\r\n";
> while ($row = $stmt->fetch())
> echo $row['firstname']." ".$row['name']."<br>";
> $stmt->closeCursor();
> $dbh = null;
>
>
> in pdoconnect.php:
> -----------------------
> try
> { $dbh = new PDO('mysql:host=host1.myhost.com;dbname=mydb1', alex, mypass);
> foreach ($dbh->query('SELECT * from FOO') as $row)
> { print_r($row); }
> }
> catch(PDOException $e)
> { print "Database connection error!<br/>";
> die();
> }
>
> I tried to prevent SQL injection methods by specifying PDO::PARAM*, and closing the statement and connection properly.
>
> Is this a correct example? Or should I improve something?
>
> Any hints greatly appreciated, since I am about to change all my scripts to this :-)
> Thanks, Alex
No, it will not work. You cannot use a bind parameter as a column name
(i.e. in the ORDER BY clause). You can only use it where you have a value.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|