Advertisement:

Author Topic: Prepared MYSQL statements  (Read 197 times)

Offline MrMorph

  • Jr. Member
  • **
  • Posts: 132
Prepared MYSQL statements
« on: January 15, 2021, 09:02:47 AM »
I'd like to use prepared MYSQL statements to insert data into the database, for added security.

I'm thinking smcFunc already does this, is that assumption correct? Nothing is mentioned in the docs that I can see.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 59,830
  • Gender: Male
    • Kindred-999 on GitHub
Re: Prepared MYSQL statements
« Reply #1 on: January 15, 2021, 09:24:36 AM »
smcFunc sanitizes the SQL queries, yes
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Offline Suki

  • Carthago delenda est
  • Lead Developer
  • SMF Super Hero
  • *
  • Posts: 16,000
  • Oh, wouldn't it be great if I *was* crazy?
    • MissAllSunday on GitHub
    • SMF mods
Re: Prepared MYSQL statements
« Reply #2 on: January 15, 2021, 09:29:59 AM »
Yes, you can use prepared statements. They are a bit different than what you normally would do in PDO but the usage is almost the same:

Code: [Select]
$result = $smcFunc['db_query']('' ,'
     SELECT ppl.first_name, ppl.last_name, add.city, add.address
     FROM {db_prefix}people as ppl
          LEFT JOIN {db_prefix}addresses as add ON (add.id_address = ppl.id_address)
     WHERE ppl.id_person = {int:person}
          AND (ppl.middle_name = 'foo' OR ppl.suffix != 'jr')
          AND {bool:condition}',
     array(
         'person' => $id_person,
         'condition' => $condition,
     )
 );

You can use the most common data types: int, string,array_int, array_string, date, float, identifier, etc.  Theres also the "raw" type for special cases where you might want to add raw SQL/data.



/Edit  16,000 posts!  8)
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

Making tough decisions, so you don't have to.

Offline MrMorph

  • Jr. Member
  • **
  • Posts: 132
Re: Prepared MYSQL statements
« Reply #3 on: January 15, 2021, 09:59:25 AM »
Great, thank you both  8)