Parameterised MySQL

Anon

Hi!

I'm getting ready to start developing using PHP and i'm very impressed so far! Way too cool 🙂

My question is this, how can I parameterise my queries? for example:

select * from users where user_name=?

then execute setting parameter 1 to be 'fred'.

This means that you dont need to perform any escaping, you dont have to perform any security checks to see if someone is trying to 'socially engineer' your queries etc etc, it's an awesome way of doing it but I can't see how you do this in PHP4/MySQL.

Hints appreciated 🙂
(If you could email me as well, i'd appreciate that, i'm damn forgetful and i'm sure i'll forget to come back here and see if anyone answered grin)

Thanks!
Matt.

Anon

My approach is to use addslashes() and printf (or even print)

printf("select * from table where value='%s'", addslashes($user_entered_data));

addslashes escapes all potentially 'dangerous' characters.

HTH,

Anon

This confused me too when I started php moving from Powerbuilder. You just let PHP automaticly replace variables with values so you don't actually send parameters, per se, just a complete sql statement.

$currentUser="Matt";
$sql = "select from users = user_name='$currentUser'";
will be sent to the db as
select from users = user_name='Matt'

Doesn't php rock?!

Anon

Whoops, make that

$sql = sprintf("SELECT ... addslashes($user_data));

AFAIK, it's as safe as using the parameters in Perl/DBI.

I really gotta check before I post ... =)