Prepared MYSQL statements

Started by MrMorph, January 15, 2021, 09:02:47 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

MrMorph

January 15, 2021, 09:02:47 AM
I'd like to use prepared MYSQL statements to insert data into the database, for added security.

I'm thinking smcFunc already does this, is that assumption correct? Nothing is mentioned in the docs that I can see.

Kindred

#1
January 15, 2021, 09:24:36 AM
smcFunc sanitizes the SQL queries, yes
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

All Colours Sam

#2
January 15, 2021, 09:29:59 AM
Yes, you can use prepared statements. They are a bit different than what you normally would do in PDO but the usage is almost the same:

Code Select

$result = $smcFunc['db_query']('' ,'
     SELECT ppl.first_name, ppl.last_name, add.city, add.address
     FROM {db_prefix}people as ppl
          LEFT JOIN {db_prefix}addresses as add ON (add.id_address = ppl.id_address)
     WHERE ppl.id_person = {int:person}
          AND (ppl.middle_name = 'foo' OR ppl.suffix != 'jr')
          AND {bool:condition}',
     array(
         'person' => $id_person,
         'condition' => $condition,
     )
);


You can use the most common data types: int, string,array_int, array_string, date, float, identifier, etc.  Theres also the "raw" type for special cases where you might want to add raw SQL/data.



/Edit  16,000 posts!  8)
Oh, wouldn't it be great if I *was* crazy? ...then the world would be okay
Suki

MrMorph

#3
January 15, 2021, 09:59:25 AM
Great, thank you both  8)
Print
Go Up Pages1
User actions
Advertisement: