This question already has answers here:
How do I set ORDER BY params using prepared PDO statement?
(7 answers)
Closed 5 years ago.
I am using different values in ORDER BY clause of SQL queries based upon user selection. How do I escape this selected value using mysqli_real_escape_string() function?
For example, the url is as following:
localhost/person/person_listing.php?sort_by=date_of_birth
Based on this I am using:
if (isset($_GET['sort_by'])) {
$sort_by = trim($_GET['sort_by']);
if (!empty($sort_by)) {
$order_by_sql = " ORDER BY $sort_by";
}
}
The question is, what is the best way to escape this type of add-on to SQL? Can the entire ORDER BY clause be escaped at once, or each value has to be escaped individually?
The best way to do this would be to use a prepared statement. Your code would look kind of as follows: (grabbed from here.
Basically, you add a question mark wherever you have a variable you would want to pass. And then you pass it with the mysqli_stmt_bind_param function. ss here means that you want to pass 2 strings.
if ($stmt = mysqli_prepare($link, "SELECT * FROM users WHERE Name=? ORDER BY ?")) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, "ss", $name, $sort_by);
}
Related
This question already has answers here:
PHP - Using PDO with IN clause array
(9 answers)
MySQLi prepared statements with IN operator [duplicate]
(1 answer)
Closed 3 years ago.
So I have this sql preparted statment:
SELECT carName, modelName
FROM cars
INNER JOIN model ON cars.idCar = model.idCar
WHERE carName IN (?)`
$input = " 'toyota','honda' "
I am trying to put this into the sql statment, but it gives zero rows out. I have tried the query in phpMyAdmin and there it works all fine. Anyone know the problem?
You need one parameter per value in the IN list. If you pass a single parameter, it is interpreted as a unique string that contains a comma, which is not what you want (and you end up with no match, since none of the names in the table matches this value).
So for two parameters:
SELECT carName, modelName
FROM cars
INNER JOIN model ON cars.idCar = model.idCar WHERE carName IN (?, ?);
The IN clause takes multiple arguments and each parameter can only take on one value. So to automate the process of inserting multiple parameters in this statement you could use something like the following:
/* Execute a prepared statement using an array of values for an IN clause */
$params = ['toyota', 'honda'];
/* Create a string for the parameter placeholders filled to the number of params */
$place_holders = implode(',', array_fill(0, count($params), '?'));
/*
This prepares the statement with enough unnamed placeholders for every value
in our $params array. The values of the $params array are then bound to the
placeholders in the prepared statement when the statement is executed.
This is not the same thing as using PDOStatement::bindParam() since this
requires a reference to the variable. PDOStatement::execute() only binds
by value instead.
*/
$st = $db->prepare("SELECT carName, modelName FROM cars WHERE carName IN ($place_holders)");
$st->execute($params);
This question already has answers here:
pdo prepared statements with wildcards
(2 answers)
How to bind LIKE values using the PDO extension?
(7 answers)
How do I create a PDO parameterized query with a LIKE statement?
(9 answers)
PHP PDO & SQL Search wildcard bind parameters
(1 answer)
Using named parameters with PDO for LIKE
(1 answer)
Closed 4 years ago.
I've been trying to replace the value in '%:value%' when I use the LIKE operator in my query.
I have also tried using CONCAT() but that didnt work either.
$query = "SELECT *
FROM books
WHERE title LIKE '%:title%'";
...
...
statement->bindValue(':title', $title, PDO::PARAM_STR);
:title should be replaced with the variable $title but it doesnt. The query is working fine but the :title just doesnt get replaced.
You probably want :
$query = "SELECT *
FROM books
WHERE title LIKE CONCAT( '%', :title, '%')";
...
...
statement->bindValue(':title', $title, PDO::PARAM_STR);
The bind parameter should be used as a litteral string. CONCAT can be used to concatenate the parameter with percent signs on both ends.
Did you try using concat() like this?
SELECT *
FROM books
WHERE title LIKE CONCAT('%', :title, '%')
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I just thought about the safety of my php script and read a lot about sql injections.Now I have a question to save me from it.Is it right when my script doesnt accept characters like ' , ; or " ? Or I just catch this from my Android app ? So I just see the problem in these caracters. Am I right ? Or is there sth I dont see ? If not what would be the easiest way to safe it ?
never check the string for injection, all you need to do is not concatenate the variable.
Use Prepared Statements.
a "example" in mysqli extract from http://www.wikihow.com/Prevent-SQL-Injection-in-PHP
$name = $_GET['username'];
if ($stmt = $mysqli->prepare("SELECT password FROM tbl_users WHERE name=?")) {
// Bind a variable to the parameter as a string.
$stmt->bind_param("s", $name);
// Execute the statement.
$stmt->execute();
// Get the variables from the query.
$stmt->bind_result($pass);
// Fetch the data.
$stmt->fetch();
// Display the data.
printf("Password for user %s is %s\n", $name, $pass);
// Close the prepared statement.
$stmt->close();
}
read: http://www.veracode.com/security/sql-injection
if your idea is check the variables for ' or " or ;, it's a hard endless job and in the end can solve by using PDO statment.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
How do I sanitize input with PDO?
I'm pulling in an id via $_GET. I just started using PDO and I'm unsure if this is safe or not. Obviously, the code below is using $_GET to grab an id. I'm not sanitizing it at all before I place it in the query. Is this safe?
<?php
if (isset($_GET['id'])) {
$blogid = $_GET['id'];
$post = $dbh->query("SELECT id, title, slug, body, image, author, date, category from blog WHERE id='$blogid' ORDER BY date DESC");
$row = $post->fetch(); ?>
I'm not sanitizing it at all before I place it in the query
Nope. Not safe at all. :)
You either need to escape it, or use a prepared statement. With PDO, I would use a prepared statement:
if (isset($_GET['id']) && is_string($_GET['id'])) {
$blogid = $_GET['id'];
$stmt = $dbh->prepare("SELECT id, title, slug, body, image, author, date, category from blog WHERE id= :id ORDER BY date DESC");
$stmt->execute(array('id' => $_GET['id']));
$row = $stmt->fetch();
}
It is NEVER safe to insert a variable in a SQL query without sanitizing/escaping it.
What you could do, if you don't want to escape it yourself is to use a prepare statement and bind your parameters.
You can check the PHP documentation...
About of how use PDO prepare:
http://php.net/manual/en/pdo.prepare.php
How to use the parameters binding:
http://www.php.net/manual/en/pdostatement.bindparam.php
This question already has answers here:
How can I bind an array of strings with a mysqli prepared statement?
(7 answers)
Closed 3 years ago.
I’m moving some old code over to the new msqli interface using prepared statements, I’m having trouble with SQL statements containing the IN clause. I would just normally do this:
$ids = '123,535,345,567,878'
$sql = "SELECT * FROM table WHERE id IN ($ids)";
$res = mysql_query($sql);
Converting this to mysqli and prepared statements I have tried a number of solutions:
$ids = '123,535,345,567,878'
$ids = implode($ids,',');
$result = $msqli->prepare("SELECT foo,blar FROM table WHERE id IN (?));
$result->bind_param("i", $ids);
$result->execute();
The above fails and calculating the number of elements in the array and altering number of question marks in the SQL string and calling bind_parm for each element in the array also fails. Just using the comma separated string also fails.
I can find no good documentation in Google on this, so how have you solved the problem?
It's not possible to bind a list of variable length to a single bound variable.
Similarly, if you were to bind the string $ids you'll actually end up with:
SELECT foo,blar FROM table WHERE id IN ('123,535,345,567,878')
(Note the quotes around the list of IDs).
Creating your own query with the right number of question marks and bound parameters should have actually worked - you may need to try that again and report on the actual error.
Alternatively, this may be one of those occasions where it's unfortunately necessary to hand-craft your own SQL and not use bound parameters.
Look at the answer to a similar question that has been asked here before (second code sample):
I have an array of integers, how do I use each one in a mysql query (in php)?
It boils down to:
create the SQL string with the right amount of question marks
use call_user_func_array() to bind your array to the query string
I thought the point of prepared statements was so in this situation you could just do:
$stmt = $this->mysqli->prepare("UPDATE radcheck SET attribute = ?, value = ? WHERE username = ? AND attribute LIKE 'CS-Total-Octets%'");
foreach ($usernames as $username)
{
$stmt->bind_param('sss', $bandwidth_types[$bandwidth_type], $bandwidth_bytes, $username);
$stmt->execute();
}
$stmt->close();