News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Prepared MYSQL statements

Started by MrMorph, January 15, 2021, 09:02:47 AM

Previous topic - Next topic

MrMorph

I'd like to use prepared MYSQL statements to insert data into the database, for added security.

I'm thinking smcFunc already does this, is that assumption correct? Nothing is mentioned in the docs that I can see.

Kindred

smcFunc sanitizes the SQL queries, yes
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Suki

Yes, you can use prepared statements. They are a bit different than what you normally would do in PDO but the usage is almost the same:


$result = $smcFunc['db_query']('' ,'
     SELECT ppl.first_name, ppl.last_name, add.city, add.address
     FROM {db_prefix}people as ppl
          LEFT JOIN {db_prefix}addresses as add ON (add.id_address = ppl.id_address)
     WHERE ppl.id_person = {int:person}
          AND (ppl.middle_name = 'foo' OR ppl.suffix != 'jr')
          AND {bool:condition}',
     array(
         'person' => $id_person,
         'condition' => $condition,
     )
);


You can use the most common data types: int, string,array_int, array_string, date, float, identifier, etc.  Theres also the "raw" type for special cases where you might want to add raw SQL/data.



/Edit  16,000 posts!  8)
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

MrMorph


Advertisement: