Author Topic: Prepared MYSQL statements (Read 197 times)

MrMorph · « **on:** January 15, 2021, 09:02:47 AM »

I'd like to use prepared MYSQL statements to insert data into the database, for added security.

I'm thinking smcFunc already does this, is that assumption correct? Nothing is mentioned in the docs that I can see.

Kindred · « **Reply #1 on:** January 15, 2021, 09:24:36 AM »

smcFunc sanitizes the SQL queries, yes

Suki · « **Reply #2 on:** January 15, 2021, 09:29:59 AM »

Yes, you can use prepared statements. They are a bit different than what you normally would do in PDO but the usage is almost the same:

Code: [Select]

$result = $smcFunc['db_query']('' ,'
     SELECT ppl.first_name, ppl.last_name, add.city, add.address
     FROM {db_prefix}people as ppl
          LEFT JOIN {db_prefix}addresses as add ON (add.id_address = ppl.id_address)
     WHERE ppl.id_person = {int:person}
          AND (ppl.middle_name = 'foo' OR ppl.suffix != 'jr')
          AND {bool:condition}',
     array(
         'person' => $id_person,
         'condition' => $condition,
     )
 );

You can use the most common data types: int, string,array_int, array_string, date, float, identifier, etc. Theres also the "raw" type for special cases where you might want to add raw SQL/data.

/Edit 16,000 posts!

MrMorph · « **Reply #3 on:** January 15, 2021, 09:59:25 AM »

Great, thank you both

News:

Author Topic: Prepared MYSQL statements (Read 197 times)

MrMorph

Prepared MYSQL statements

Kindred

Re: Prepared MYSQL statements

Suki

Re: Prepared MYSQL statements

MrMorph

Re: Prepared MYSQL statements