For Programmers: Free Programming Magazines  


Home > Archive > PHP Pear > November 2006 > Re: [PEAR] PEAR::MDB2









You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

 

Author Re: [PEAR] PEAR::MDB2
Lorenzo Alberton

2006-11-21, 6:59 pm

Hi Damian,

> Hi, im trying to work with MDB2 and hace some problems. Maybe someone can
> help me.
> First, once i have a mdb2 connection on $mdb2 im trying to make a query
> using quote to prevent SQL Injections.
>
> $int = $mdb2->quote('11', 'integer');
> $query = 'SELECT someDate, someNumber FROM myTable WHERE someInteger = ' .
> $int;
> var_dump($query);
> $result = $mdb2->exec($query, array('date', 'integer'));

exec() should be used for manipulation queries
(INSERT / UPDATE / ...). If you want to SELECT
some fields, use query():

http://pear.php.net/manual/en/packa...intro-query.php

If you want to query and fetch the data in one shot, you can
use one of queryAll(), queryCol(), queryRow(), queryOne():

http://pear.php.net/manual/en/packa...intro-fetch.php

> I suppouse that $query should be something like SELECT someDate, someNumber
> FROM myTable WHERE someInteger = 11 or maybe SELECT someDate, someNumber
> FROM myTable WHERE someInteger = '11' (i preffer this one, can i choose to
> put or not the quotes?)

MySql accepts the quotes around integer values,
but all the other DBMS don't, so it's better if
you don't put quotes around integers in any case.


> Second, can i use prepare for select querys?

absolutely, yes.

> i saw that the result object of
> prepare only have exec method. If i want to make a query with parameters
> (in
> the where condition) and i want to set types to that parameters. And i want
> to work my input data to prevent SQL injections and blind the variable
> (after filter it) the the parameter in the query wich is the best way?

http://pear.php.net/manual/en/packa...tro-execute.php


> i dont know if this makes the quote using the parameter type or not.

if you use prepared queries, and pass an array
containing the datatypes of your parameters, then
quoting is done automatically where necessary.

> Thanks for your help.

you're welcome.

BTW: all of your questions are covered by the docs:
http://pear.php.net/manual/en/package.database.mdb2.php
so you may want to read them to learn how to use MDB2.

Best regards,
--
Lorenzo Alberton
http://pear.php.net/user/quipo
________________________________________
___________________________
Quipo Free Internet - 2 email, 150 Mb di spazio web e molto di pił.
ADSL, hardware & Software Online Store
Sponsored Links







Also available: Server administration forum archive | Web Design forum archive | Software forum archive | Hardware reviews archive

Copyright 2008 codecomments.com