So I am trying to use sql commands preparation to avoid injection but I can't figure out how can I use SQL statements in the bind_param function. My code is this :
function saveContent($POST_DATA) {
$conn = new mysqli("HOST", "USER", "PASSWORD");
if ($conn->connect_error) {
return false;
} else {
$command = $conn->prepare("INSERT INTO events (title, dateHappening, time, topic,
subtopic, extraMessage) VALUES (?, ?, ?, ?, ?, ?)";
$command->bind_param("ssssss", $POST_DATA["inputTitre"], $POST_DATA["inputDate"],
$POST_DATA["inputHour"], $POST_DATA["selectTopic"], $POST_DATA["selectSubTopic"],
$POST_DATA["inputMessage"]);
$command->execute();
$command->close();
$conn->close();
}
}
The thing here is that I would like extraMessage to be NULL if it is blank (because this field is not mandatory). To optimize this code I would have liked to use something like
NULLIF($POST_DATA["inputMessage"], "")
Is inserting the statement above in the bind_param function possible ?
Question solved (see comment under my question) :
No. You have to write all the SQL expressions in the query and only insert the placeholder where the value goes. So, essentially, you would put NULLIF(?, "") in the query instead of just a ?. –
Related
I find ezSQL library very useful but as far as I see there is no implementation of prepared statements in it, am I right? Or is there something I don't know?
I have checked out the help file which I downloaded from http://justinvincent.com/ezsql
For example: I have some queries like
$stmt = $conn->prepare("INSERT INTO gecici_magaza_detay VALUES ($geciciMagazaId,?,?,?,?)");
$stmt->bind_param("iiss",$gunId,$acikMi,$girisSaati,$cikisSaati);
for($j=0; $j<7; $j++) {
$gunId = $j+1;
$acikMi = (empty($acilis[$j]) || empty($kapanis[$j])) ? 0 : 1;
$girisSaati = $acikMi ? $acilis[$j] : null;
$cikisSaati = $acikMi ? $kapanis[$j] : null;
$stmt->execute();
}
where $conn is a mysqli object.
$conn = new mysqli($servername, $username, $password, $dbname);
but I want to get rid of it completely and use only my $db object which is:
$db = new ezSQL_mysqli();
I hope there is a way of using prepared statements with ezSQL, that would make me more comfortable, otherwise I'll have to use both.
I know this is an old question, but there are options for prepared statements from v3.08+.
When you create your connection you simply use $db->prepareOn();. Here's an example using this code
// To get SQL calls to use prepare statements
$db->prepareOn(); // This needs to be called at least once at instance creation
$db->query_prepared('INSERT INTO profile( name, email, phone) VALUES( ?, ?, ? );', [$user, $address, $number]);
$db->query_prepared('SELECT name, email FROM profile WHERE phone = ? OR id != ?', [$number, 5]);
$result = $db->queryResult(); // the last query that has results are stored in `last_result` protected property
foreach ($result as $row) {
echo $row->name.' '.$row->email;
}
More information can be found on the new Wiki
No, there isn't any built-in prepared statement feature in ezsql.
Use $db->escape() function for unsafe variables. This is the safest option available.
I am new to PHP and am trying to update a deprecated code from mysql to PDO.
Considering that the variable $insert contains all values to bulk insert such as:
('82817cf5-52be-4ee4-953c-d3f4ed1459b0','1','EM3X001P.1a','04.03.10.42.00.02'),
('82817cf5-52be-4ee4-953c-d3f4ed1459b0','2','EM3X001P.2a','04.03.10.33.00.02'),
...etc 13k lines to insert
here is the deprecated code:
mysql_connect('localhost', 'root', '') or die(mysql_error());
mysql_select_db("IPXTools") or die(mysql_error());
if ($insert != '')
{
$insert = "INSERT INTO IPXTools.MSSWireList (ID,Record,VlookupNode,HostWireLocation) VALUES ".$insert;
$insert .= "ON DUPLICATE KEY UPDATE Record=VALUES(Record),VlookupNode=VALUES(VlookupNode),HostWireLocation=VALUES(HostWireLocation)";
mysql_query($insert) or die(mysql_error());
$insert = '';
}
here is the new code:
try
{
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //set the PDO error mode to exception
// prepare sql and bind parameters
$stmt = $conn->prepare("INSERT INTO IPXTools.MSSWireList (ID, Record, VlookupNode, HostWireLocation)
VALUES (:ID, :Record, :VlookupNode, :HostWireLocation)");
$stmt->bindParam(':ID', $ID);
$stmt->bindParam(':Record', $Record);
$stmt->bindParam(':VlookupNode', $VlookupNode);
$stmt->bindParam(':HostWireLocation', $HostWireLocation);
// insert a row
// loop through all values inside the $insert variable??????? how?
$stmt->execute();
}
catch(PDOException $e)
{
echo "Error: " . $e->getMessage();
}
$conn = null;
During my research I found an excellent post:
PDO Prepared Inserts multiple rows in single query
One method says I would have to change my $insert variable to include all the field names.
And other method says I dont have to do that. I am looking at Chris M. suggestion:
The Accepted Answer by Herbert Balagtas works well when the $data array is small. With larger $data arrays the array_merge function becomes prohibitively slow. My test file to create the $data array has 28 cols and is about 80,000 lines. The final script took 41s to complete
but I didnt understand what he is doing and I am trying to adapt my code to his. The PHP sintax is new to me so I am strugling with handling the arrays, etc...
I guess the starting point would be the variable $insert which contains all the database values I need.
Do I need to modify my $insert variable to include the field names?
Or I could just use its content and extract the values (how?) and include the values in a loop statement? (that would probably execute my 13k rows one at at time)
Thank you
If you have 13k records to insert, it is good for performance to do not use prepared SQL statement. Just generate SQL query in format like this:
INSERT INTO IPXTools.MSSWireList
(ID, Record, VlookupNode, HostWireLocation)
VALUES
('id1', 'r1', 'node1', 'location1'),
('id2', 'r2', 'node2', 'location2'),
...
('id13000', 'r13000', 'node13000', 'location13000');
What you may do for it - use maner of your legacy code. Your try block will looks loke this:
try
{
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->exec($insert);
}
When I run this code I get the error "Object of class mysqli could not be converted to string" on the line where I declare a new mysqli object. I can't find the error no matter how many times I read it over.
if(isset($_SESSION['username']))
{
echo $_POST['course'],
$mysqli = new mysqli("localhost","sec_user","Uzg82t=u%#bNgPJw","GPA_Tracker");
$user = $_SESSION['username'];
$stmt = $mysqli->prepare("INSERT into assessment_type (username, courseID, assessment, percentage) VALUES (?, ?, ?, ?)");
$stmt->bind_param('ssss', $user, $_POST['course'], $_POST['assesment'], $_POST['percentage']);
$stmt->execute();
}
As noted in the comments, this is where you have the problem:
echo $_POST['course'], //notice the comma, rather than a semi-colon ";"
$mysqli = new mysqli("localhost","sec_user","Uzg82t=u%#bNgPJw","GPA_Tracker");
The echo statement/construct accepts a comma-separated list of statements, hence coming across the , it thinks the next statement following it is also to be echoed. As it turns out, that next statement is an object-creation statement, whereas echo accepts only strings.
To fix the error, properly close your echo $_POST['course'] with a semicolon like below:
echo $_POST['course'];
I found the following code on php.net. I'm trying to write a wrapper for the MySQLi library to make things incredibly simple. If this is going to slow down performance, I'll skip it and find another way, if this works, then I'll do that.
I have a single query function, if someone passes in more than one variable, I assume the function has to be prepared. The function that I would use to pass in an array to mysqli_stmt_bind_param is call_user_func_array, I have a feeling that is going to slow things down. Am I right?
<?php
/* just explaining how to call mysqli_stmt_bind_param with a parameter array */
$sql_link = mysqli_connect('localhost', 'my_user', 'my_password', 'world');
$type = "isssi";
$param = array("5", "File Description", "File Title", "Original Name", time());
$sql = "INSERT INTO file_detail (file_id, file_description, file_title, file_original_name, file_upload_date) VALUES (?, ?, ?, ?, ?)";
$sql_stmt = mysqli_prepare ($sql_link, $sql);
call_user_func_array('mysqli_stmt_bind_param', array_merge (array($sql_stmt, $type), $param);
mysqli_stmt_execute($sql_stmt);
?>
Nope. You're wrong.
1 call_user_func_array call can never be the performance bottle neck.
So if it performed slow - then your query runs slow.
Just as usual i was looking around best practices with PHP, and prepared statements seems the kind of stuff i should now how do with my eyes closed. So i started playing around with some examples i've found.
I've got this error when running the script:
Fatal error: Call to a member function
bindParam() on a non-object in
/opt/lampp/htdocs/phpSecurity/PreparedStatments/Insert-Multi-Binded-Params/Insert
Simple Method.php on line 10
Here it goes the code.
Insert Simple Method.php
<?php
require_once '../config.php';
$stmt = $db->prepare("INSERT INTO coisas (nome, telefone, bi) VALUES (?, ?, ?)");
$nome = 'Fabio Antunes';
$telefone = 916810641;
$bi = 123093456;
$stmt->bindParam(1, $nome);
$stmt->bindParam(2, $telefone);
$stmt->bindParam(3, $bi);
$stmt->execute();
$stmt->close();
$db->close();
?>
config.php
<?php
$server_host = 'localhost';
$server_user = 'root';
$server_password = '';
$server_db = 'PreparedStatements';
$db = new mysqli($server_host, $server_user, $server_password, $server_db);
?>
Not sure what i'm doing wrong here, this is similar example found at php.net, why isn't working?
PS: I think the mysqli connection isn't the problem because I've used it to do some prepared statements with SELECT SQL commands. And worked pretty well.
EDIT
The Resolution and why.
Well in the example i should use bind_param() for each value in the query. But thanks to Bart, he managed to solve the problem with my code.
Where it is:
$stmt->bindParam(1, $nome);
$stmt->bindParam(2, $telefone);
$stmt->bindParam(3, $bi);
It should be:
$stmt->bind_param("sii", $nome, $telefone, $bi);
Now for those who might wondering what is "sii".
Well bind_param for what i see it binds the "$var" to each question mark "?" in order.
So with one bind_param() i can bind them all at the same time, and the normal use of bind_param() requires to specify the type of data being binded.
My first value to be binded is $nome a String, specified by the "s";
And the others $telefone and $bi are Integers for that he have "i";
For others that have a similar problem here it goes other data types (from php.net).
i = Integer;
s = String;
d = Double;
b = Blob;
If someone as a better explanation please post it or comment. So i can improve my own.
Thanks.
You may think there's nothing wrong with the connection, but you should check to make sure:
$db = new mysqli($server_host, $server_user, $server_password, $server_db);
if (mysqli_connect_errno()) {
printf("DB error: %s", mysqli_connect_error());
exit();
}
EDIT:
What happens when you do:
$stmt = $db->prepare("INSERT INTO coisas (nome, telefone, bi) VALUES (?, ?, ?)");
$stmt->bind_param("sii", $nome, $telefone, $bi);
$stmt->execute();
?
Is the table coisas spelled properly?
do a print_r on $stmt after you get it back on line 4. Is it a real object? I am guessing no.