Developing (v7+)

Question about ADODB shortened syntax

Permalink July 24, 2014 at 7:38 AM

Hi, can one write an SQL query with a question mark parameter for the field name(s) right after the SELECT keyword ? For example in the following query :

$imageFVQuery = 'SELECT ' . $elem . '
         FROM btGtFBImages
         WHERE bID = ? and position = ?';

Here, I would like to replace ' . $elem . ' by a question mark, and add the parameter for it at the begining of the params array below :

$params = array($this->bID, $position);
return Loader::db()->GetOne($imageFVQuery, $params);

However, it does not work. If I do it, GetOne() returns the names of the fields instead of the values. Is it possible to use a question mark here or not ?

JohntheFish replied on Jul 24, 2014 at 8:20 am Permalink Best Answer Reply

What you were originally doing is the only way I know of. ? doesn't work in that context.

If $elem comes from a user input you should sanitize it and backquote it to prevent injection.

Or you can query the metadata and make sure that the field in $elem exists, or even use metadata to build a selector for valid $elem.

Onox replied on Jul 24, 2014 at 9:38 am Permalink Reply

Thanks, you answered my question ($elem does not come from user input and the field in $elem always exists here)

Forums

Developing (v7+)

Question about ADODB shortened syntax

Code

Post Reply

Delete Post

Mark Post as Spam

Destroy Spammer

Sign In?