ADOdb's Prepare Method and MySQL
Permalink 1 user found helpful
Howdy,
I am wondering if anyone knows if using ADOdb's prepare statement works 'properly' for a MySQL connection? I'm not clear on whether I'm actually successfully preventing SQL injection, or if the prepare method is just emulated for MySQL.
Would something like this:
be safe to use in a MySQL connection?
Thanks!
-Landson
I am wondering if anyone knows if using ADOdb's prepare statement works 'properly' for a MySQL connection? I'm not clear on whether I'm actually successfully preventing SQL injection, or if the prepare method is just emulated for MySQL.
Would something like this:
$prepped = $db->Prepare("INSERT INTO my_table (field_1, field_2) VALUES (?, ?)"); $db->Execute($prepped, array($someValue, $anotherValue));
be safe to use in a MySQL connection?
Thanks!
-Landson
EDIT: Sorry, didn't see the exact code -- there's a simpler way -- see my next response below.
I believe your code will work, but there's a simpler way (that is also more standard across the C5 code):
This of course assumes you've set the $db variable already with:
$sql = "INSERT INTO my_table (field_1, field_2) VALUES (?, ?)"; $vals = array($someValue, $anotherValue); $db->Execute($sql, $vals); //Or if it's a SELECT statement and you want the results of the query: // $result = $db->Query($sql, $vals);
This of course assumes you've set the $db variable already with:
$db = Loader::db();
Thanks Jordan! My code is clearer and cleaner now, always nice to receive help.
Not entirely true, at least not in Concrete 5.6.2.1.
The default Concrete driver for ADOdb is 'mysqlt', as can be seen on line 500 in concrete/config/base.php. That driver doesn't have true support for prepared statements. Instead they are emulated, as can be seen on line 993 in concrete/libraries/3rdparty/adodb/adodb.inc.php.
Strings are quoted by that emulation, so I guess it's safe.
You can get real prepared statements by switching to the PDO driver. Just add this line to your config/site.php:
I've verified this by adding a debug-print in the emulation code. The debug-print is executed when using mysqlt, but not when using pdo_mysql.
The default Concrete driver for ADOdb is 'mysqlt', as can be seen on line 500 in concrete/config/base.php. That driver doesn't have true support for prepared statements. Instead they are emulated, as can be seen on line 993 in concrete/libraries/3rdparty/adodb/adodb.inc.php.
Strings are quoted by that emulation, so I guess it's safe.
You can get real prepared statements by switching to the PDO driver. Just add this line to your config/site.php:
define('DB_TYPE', 'pdo_mysql');
I've verified this by adding a debug-print in the emulation code. The debug-print is executed when using mysqlt, but not when using pdo_mysql.
After switching to the PDO driver, I started getting error messages when changing settings in the dashboard. I switched back to the mysqlt driver, and then I no longer got the error messages.
So I guess we can't use prepared statements in Concrete 5.6. Bummer.
So I guess we can't use prepared statements in Concrete 5.6. Bummer.
