Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use PDO prepared statement - avoid straw man #6665

Closed
wants to merge 1 commit into from
Closed

use PDO prepared statement - avoid straw man #6665

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions book/from_flat_php_to_symfony2.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,9 +254,11 @@ an individual blog result based on a given id::
function get_post_by_id($id)
{
$link = open_database_connection();
$id = intval($id);
$result = $link->query('SELECT created_at, title, body FROM post WHERE id = '.$id);
$row = $result->fetch(PDO::FETCH_ASSOC);
$query = 'SELECT created_at, title, body FROM post WHERE id=:id';
$statement = $pdo->prepare($query);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$pdo must be $link here (or you need to rename the variable above).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry my mistake - I always use $pdo
yes, $link fits with existing code

regards,

.. matt ..

On Jun 21, 2016, at 07:57 AM, Christian Flothmann notifications@github.com wrote:

In book/from_flat_php_to_symfony2.rst:

@@ -254,9 +254,11 @@ an individual blog result based on a given id::
function get_post_by_id($id)
{
$link = open_database_connection();

  •    $id = intval($id);

  •    $result = $link->query('SELECT created_at, title, body FROM post WHERE id = '.$id);

  •    $row = $result->fetch(PDO::FETCH_ASSOC);

  •    $query = 'SELECT created_at, title, body FROM post WHERE  id=:id';

  •    $statement = $pdo->prepare($query);
    $pdo must be $link here (or you need to rename the variable above).

    You are receiving this because you authored the thread.
    Reply to this email directly, view it on GitHub, or mute the thread.

$statement->bindParam(':id', $id, PDO::PARAM_INT);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bindValue()?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes you’re right,
bindValue(...) makes more sense, since statement is not being re-used with different values in a bound param-variable

regards,

.. matt ..

On 20 Jun 2016, at 13:21, Christian Flothmann notifications@github.com wrote:

In book/from_flat_php_to_symfony2.rst #6665 (comment):

@@ -254,9 +254,11 @@ an individual blog result based on a given id::
function get_post_by_id($id)
{
$link = open_database_connection();

  •    $id = intval($id);

  •    $result = $link->query('SELECT created_at, title, body FROM post WHERE id = '.$id);

  •    $row = $result->fetch(PDO::FETCH_ASSOC);

  •    $query = 'SELECT created_at, title, body FROM post WHERE  id=:id';

  •    $statement = $pdo->prepare($query);

  •    $statement->bindParam(':id', $id, PDO::PARAM_INT);
    bindValue()?


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/symfony/symfony-docs/pull/6665/files/065dd3a3d49853eca691fb98003fb086a85b81c6#r67680106, or mute the thread https://github.com/notifications/unsubscribe/ABKRV9ecC9edXcKfJu2m8hGGpHyOEjl0ks5qNoXPgaJpZM4I5n_r.

Dr. Matt Smith | Senior Lecturer in Computing | matt.smith@itb.ie
Department of Informatics, School of Informatics & Engineering,
Institute of Technology Blanchardstown, Dublin 15, Republic of Ireland
www.itb.ie | Tel: +353-(1)-885-1098 | Fax: +353-(1)-885-1001

Recent publications:

  • Unity 5.x Cookbook (2015)

$statement->execute();
$row = $statement->fetch(PDO::FETCH_ASSOC);

close_database_connection($link);

Expand Down Expand Up @@ -294,9 +296,7 @@ Creating the second page is now very easy and no code is duplicated. Still,
this page introduces even more lingering problems that a framework can solve
for you. For example, a missing or invalid ``id`` query parameter will cause
the page to crash. It would be better if this caused a 404 page to be rendered,
but this can't really be done easily yet. Worse, had you forgotten to clean
the ``id`` parameter via the ``intval()`` function, your
entire database would be at risk for an SQL injection attack.
but this can't really be done easily yet.

Another major problem is that each individual controller file must include
the ``model.php`` file. What if each controller file suddenly needed to include
Expand Down