Parameterizing queries in a function with only sql as a parameter
up vote
-3
down vote
favorite
I have a function that i call everytime i want to execute a query, but after awhile i notice that if an input had a '
, it would lead to an SQL error. But i kept building my website with this function (and i start to think it might not have been the best idea).
I want to rewrite this function but with the same parameter it had before, wich is only the SQL
, i searched everywhere and i only saw examples like this one:
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));
Quoting this answer: here
But my function looks like this:
function query($sql) {
$stmt = $this->conn->prepare($sql);
$stmt->execute();
return $stmt;
}
pretty basic, but i thought at that time it would be enough.
And my problem with this is that i have a couple of complicated queries, so i'm trying to find a way to only use the SQL as a parameter. And not create an array to insert in the function in the execute as shown above.
Isn't there any other way to create a function where i can fix my aphostrophe
, but still have only that one parameter?
ps: I disabled the emulation of prepared statments to help against SQL Injection.
Thanks for help.
php sql
add a comment |
up vote
-3
down vote
favorite
I have a function that i call everytime i want to execute a query, but after awhile i notice that if an input had a '
, it would lead to an SQL error. But i kept building my website with this function (and i start to think it might not have been the best idea).
I want to rewrite this function but with the same parameter it had before, wich is only the SQL
, i searched everywhere and i only saw examples like this one:
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));
Quoting this answer: here
But my function looks like this:
function query($sql) {
$stmt = $this->conn->prepare($sql);
$stmt->execute();
return $stmt;
}
pretty basic, but i thought at that time it would be enough.
And my problem with this is that i have a couple of complicated queries, so i'm trying to find a way to only use the SQL as a parameter. And not create an array to insert in the function in the execute as shown above.
Isn't there any other way to create a function where i can fix my aphostrophe
, but still have only that one parameter?
ps: I disabled the emulation of prepared statments to help against SQL Injection.
Thanks for help.
php sql
2
No you have to do it properly, regardless of the effort involved
– RiggsFolly
Nov 10 at 0:58
add a comment |
up vote
-3
down vote
favorite
up vote
-3
down vote
favorite
I have a function that i call everytime i want to execute a query, but after awhile i notice that if an input had a '
, it would lead to an SQL error. But i kept building my website with this function (and i start to think it might not have been the best idea).
I want to rewrite this function but with the same parameter it had before, wich is only the SQL
, i searched everywhere and i only saw examples like this one:
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));
Quoting this answer: here
But my function looks like this:
function query($sql) {
$stmt = $this->conn->prepare($sql);
$stmt->execute();
return $stmt;
}
pretty basic, but i thought at that time it would be enough.
And my problem with this is that i have a couple of complicated queries, so i'm trying to find a way to only use the SQL as a parameter. And not create an array to insert in the function in the execute as shown above.
Isn't there any other way to create a function where i can fix my aphostrophe
, but still have only that one parameter?
ps: I disabled the emulation of prepared statments to help against SQL Injection.
Thanks for help.
php sql
I have a function that i call everytime i want to execute a query, but after awhile i notice that if an input had a '
, it would lead to an SQL error. But i kept building my website with this function (and i start to think it might not have been the best idea).
I want to rewrite this function but with the same parameter it had before, wich is only the SQL
, i searched everywhere and i only saw examples like this one:
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));
Quoting this answer: here
But my function looks like this:
function query($sql) {
$stmt = $this->conn->prepare($sql);
$stmt->execute();
return $stmt;
}
pretty basic, but i thought at that time it would be enough.
And my problem with this is that i have a couple of complicated queries, so i'm trying to find a way to only use the SQL as a parameter. And not create an array to insert in the function in the execute as shown above.
Isn't there any other way to create a function where i can fix my aphostrophe
, but still have only that one parameter?
ps: I disabled the emulation of prepared statments to help against SQL Injection.
Thanks for help.
php sql
php sql
asked Nov 10 at 0:42
Ruben Perdigao
143
143
2
No you have to do it properly, regardless of the effort involved
– RiggsFolly
Nov 10 at 0:58
add a comment |
2
No you have to do it properly, regardless of the effort involved
– RiggsFolly
Nov 10 at 0:58
2
2
No you have to do it properly, regardless of the effort involved
– RiggsFolly
Nov 10 at 0:58
No you have to do it properly, regardless of the effort involved
– RiggsFolly
Nov 10 at 0:58
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53235016%2fparameterizing-queries-in-a-function-with-only-sql-as-a-parameter%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
No you have to do it properly, regardless of the effort involved
– RiggsFolly
Nov 10 at 0:58