Embedded Files
- Connection to sql
1.1 How to use db
Connect to db with: vendor/laravel/framework/src/Illuminate/Database/Connection.php
Build statement:
use PDOStatement;
1.2 Bind values
Bind:
PDOStatement > bindValues()
2 Escape params PDOStatement
2 Escape params PDOStatement
2.1 Prepare statement and bind values
<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
/* Sets a parameter value using its name */
$sth->bindValue('calories', $calories, PDO::PARAM_INT);
/* Optionally, parameter names can also be prefixed with colons ":" */
$sth->bindValue(':colour', $colour, PDO::PARAM_STR);
$sth->execute();
?>
3 Be careful with escape
3 Be careful with escape
3.1 Escape
Although bindValue() escapes quotes it does not escape "%" and "_", so be careful when using LIKE. A malicious parameter full of %%% can dump your entire database if you don't escape the parameter yourself. PDO does not provide any other escape method to handle it.
4 Reference
4 Reference
4.1 https://www.php.net/manual/en/pdostatement.bindvalue.php
Page updated
Google Sites
Report abuse