Developing (v7+)

Question about ADODB shortened syntax

Permalink July 24, 2014 at 7:38 AM

Hi, can one write an SQL query with a question mark parameter for the field name(s) right after the SELECT keyword ? For example in the following query :

$imageFVQuery = 'SELECT ' . $elem . '
         FROM btGtFBImages
         WHERE bID = ? and position = ?';

Here, I would like to replace ' . $elem . ' by a question mark, and add the parameter for it at the begining of the params array below :

$params = array($this->bID, $position);
return Loader::db()->GetOne($imageFVQuery, $params);

However, it does not work. If I do it, GetOne() returns the names of the fields instead of the values. Is it possible to use a question mark here or not ?

JohntheFish replied on Jul 24, 2014 at 8:20 am Permalink Best Answer Reply

What you were originally doing is the only way I know of. ? doesn't work in that context.

If $elem comes from a user input you should sanitize it and backquote it to prevent injection.

Or you can query the metadata and make sure that the field in $elem exists, or even use metadata to build a selector for valid $elem.

Onox replied on Jul 24, 2014 at 9:38 am Permalink Reply

Thanks, you answered my question ($elem does not come from user input and the field in $elem always exists here)

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.

Forums

Developing (v7+)

Question about ADODB shortened syntax

Code

Post Reply

Delete Post

Mark Post as Spam

Destroy Spammer

Sign In?