All geek questions in one place

Prepared statement with PHP and MySQL without using mysqli

I would like to know if it is possible to create a prepared statement with PHP and MySQL using the mysql library and not the mysqli library.

I can not find anything in the PHP documentation.

Thank.

+3
source share
3 answers

The PHP documentation states quite clearly (at the end of this page) that it mysqldoes not support prepared statements. An alternative mysqlithat supports prepared statements would be PDO_MYSQL.

+5
source

?

SQL-, :

$fname = "Robert'); DROP TABLE students;--";
$lname = "Smith";

$pureSql = "SELECT FROM `users` WHERE `fname` = '$fname'   AND `lname` = '$lname'";
$prepSql = "SELECT FROM `users` WHERE `fname` = :userfname AND `lname` = :userlname";

echo $pureSql, "\n";
echo prepare($prepSql, array('userfname' => $fname, 'userlname' => $lname)), "\n";

function prepare($sql, $params=array()){

    if(strlen($sql) < 2 || count($params) < 1){
        return $sql;
    }

    preg_match_all('/\:[a-zA-Z0-9]+/', $sql, $matches);

    $safeSql = $sql;
    foreach($matches[0] as $arg){
        if(array_key_exists(ltrim($arg, ':'), $params)){
            $safeSql = str_replace($arg, "'" . mysql_real_escape_string($params[ltrim($arg, ':')]) . "'", $safeSql);
        }
    }

    return $safeSql;

} //prepare()

:

SELECT FROM usersWHERE fname= 'Robert'); Students DROP TABLE, - 'AND lname=' Smith 'SELECT FROM usersWHERE fname=' Robert \ '); Students DROP TABLE, - 'AND lname=' Smith '

EDIT: forgot the xkcd link http://xkcd.com/327/

-1
source

Source: https://habr.com/ru/post/1730058/

More articles:


All Articles