1

I was told to use bind parameters so that I could insert text into my db that had quotes in it. But, I am pretty confused when it comes to how to do this, the commands seem confusing to me.

So, if I had a php string, that contained html, how would I insert this into my DB using bind parameters?

I wanted to INSERT it, how would I do this?

$str = '<div id="test"><a href="#">Test string in db</a></div> string content';

I was told to use something like:

$rs = $db->Execute('select * from table where val=?', array('10'));
Improve this question

4 Answers 4

Reset to default
0

I haven't used ADODB for a while but I believe this should work, no?

$str = '<div id="test"><a href="#">Test string in db</a></div> string content';
$rs = $db->Execute('select * from table where val=?', array($str));
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The ?'s in the SQL serve as placeholders for values that are bound to the statement.

When executed, ADO is executing (given your example) 

select * from table where val=10

You should be able to construct your insert SQL roughly as:

INSERT INTO `table` (`col1`, `col2` ...) VALUES(?, ? ...)

Passing in your values (in the correct order) will render the appropriate query.

Improve this answer

1 Comment

How would I do an UPDATE statement with binding? I currently have: "UPDATE x_ast_attr SET cust_val = '$attr' WHERE id='$this->assetid'"
0

Using mysql_real_escape_string should do the trick too, it escapes the quotes automatically after which you can insert data into the database, consider this example:

$str = '<div id="test"><a href="#">Test string in db</a></div> string content';
$str_escaped = mysql_real_escape_string($str);

Now you can safely use the $str_escaped variable to insert data into the database. Furthermore, it is useful in preventing SQL injection attacks.

Improve this answer

6 Comments

What? stackoverflow.com/questions/2353666/…
@jasonbar: could you be more specific?
I mean, you just argued that mysql_real_escape_string() is not sufficient for preventing SQL injections. Now it is? This also doesn't address the question.
@jasonbar: i said "mysql_real_escape_string is not sufficient in all situations but it is definitely very good friend." you see i did not reject it totally, i said it is good too, it is a very good friend and then i said but prepared statements were better. Hope that clarifies.
@Sarfraz: He's actually using prepared statements here, though. I understand and agree with your position. Also, You have a typo "mysql-real-escape-string"
|
0

Adapted from the CodeIgniter framework:

function compile_binds($sql, $binds)
{
    if (strpos($sql, '?') === FALSE)
    {
        return $sql;
    }

    if ( ! is_array($binds))
    {
        $binds = array($binds);
    }

    // Get the sql segments around the bind markers
    $segments = explode('?', $sql);

    // The count of bind should be 1 less then the count of segments
    // If there are more bind arguments trim it down
    if (count($binds) >= count($segments)) {
        $binds = array_slice($binds, 0, count($segments)-1);
    }

    // Construct the binded query
    $result = $segments[0];
    $i = 0;
    foreach ($binds as $bind)
    {
        $result .= mysql_real_escape_string($bind);
        $result .= $segments[++$i];
    }

    return $result;
}

Then you could have a function:

function query($sql, $binds)
{
    return $db->Execute(compile_binds($sql, $binds));
}

$query = query('select * from table where val=?', array('10'));
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.