Parameterizing queries in a function with only sql as a parameter











up vote
-3
down vote

favorite
1












I have a function that i call everytime i want to execute a query, but after awhile i notice that if an input had a ' , it would lead to an SQL error. But i kept building my website with this function (and i start to think it might not have been the best idea).



I want to rewrite this function but with the same parameter it had before, wich is only the SQL, i searched everywhere and i only saw examples like this one:



$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));


Quoting this answer: here



But my function looks like this:



function query($sql) {
$stmt = $this->conn->prepare($sql);
$stmt->execute();
return $stmt;
}


pretty basic, but i thought at that time it would be enough.



And my problem with this is that i have a couple of complicated queries, so i'm trying to find a way to only use the SQL as a parameter. And not create an array to insert in the function in the execute as shown above.



Isn't there any other way to create a function where i can fix my aphostrophe, but still have only that one parameter?



ps: I disabled the emulation of prepared statments to help against SQL Injection.



Thanks for help.










share|improve this question


















  • 2




    No you have to do it properly, regardless of the effort involved
    – RiggsFolly
    Nov 10 at 0:58















up vote
-3
down vote

favorite
1












I have a function that i call everytime i want to execute a query, but after awhile i notice that if an input had a ' , it would lead to an SQL error. But i kept building my website with this function (and i start to think it might not have been the best idea).



I want to rewrite this function but with the same parameter it had before, wich is only the SQL, i searched everywhere and i only saw examples like this one:



$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));


Quoting this answer: here



But my function looks like this:



function query($sql) {
$stmt = $this->conn->prepare($sql);
$stmt->execute();
return $stmt;
}


pretty basic, but i thought at that time it would be enough.



And my problem with this is that i have a couple of complicated queries, so i'm trying to find a way to only use the SQL as a parameter. And not create an array to insert in the function in the execute as shown above.



Isn't there any other way to create a function where i can fix my aphostrophe, but still have only that one parameter?



ps: I disabled the emulation of prepared statments to help against SQL Injection.



Thanks for help.










share|improve this question


















  • 2




    No you have to do it properly, regardless of the effort involved
    – RiggsFolly
    Nov 10 at 0:58













up vote
-3
down vote

favorite
1









up vote
-3
down vote

favorite
1






1





I have a function that i call everytime i want to execute a query, but after awhile i notice that if an input had a ' , it would lead to an SQL error. But i kept building my website with this function (and i start to think it might not have been the best idea).



I want to rewrite this function but with the same parameter it had before, wich is only the SQL, i searched everywhere and i only saw examples like this one:



$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));


Quoting this answer: here



But my function looks like this:



function query($sql) {
$stmt = $this->conn->prepare($sql);
$stmt->execute();
return $stmt;
}


pretty basic, but i thought at that time it would be enough.



And my problem with this is that i have a couple of complicated queries, so i'm trying to find a way to only use the SQL as a parameter. And not create an array to insert in the function in the execute as shown above.



Isn't there any other way to create a function where i can fix my aphostrophe, but still have only that one parameter?



ps: I disabled the emulation of prepared statments to help against SQL Injection.



Thanks for help.










share|improve this question













I have a function that i call everytime i want to execute a query, but after awhile i notice that if an input had a ' , it would lead to an SQL error. But i kept building my website with this function (and i start to think it might not have been the best idea).



I want to rewrite this function but with the same parameter it had before, wich is only the SQL, i searched everywhere and i only saw examples like this one:



$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));


Quoting this answer: here



But my function looks like this:



function query($sql) {
$stmt = $this->conn->prepare($sql);
$stmt->execute();
return $stmt;
}


pretty basic, but i thought at that time it would be enough.



And my problem with this is that i have a couple of complicated queries, so i'm trying to find a way to only use the SQL as a parameter. And not create an array to insert in the function in the execute as shown above.



Isn't there any other way to create a function where i can fix my aphostrophe, but still have only that one parameter?



ps: I disabled the emulation of prepared statments to help against SQL Injection.



Thanks for help.







php sql






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 10 at 0:42









Ruben Perdigao

143




143








  • 2




    No you have to do it properly, regardless of the effort involved
    – RiggsFolly
    Nov 10 at 0:58














  • 2




    No you have to do it properly, regardless of the effort involved
    – RiggsFolly
    Nov 10 at 0:58








2




2




No you have to do it properly, regardless of the effort involved
– RiggsFolly
Nov 10 at 0:58




No you have to do it properly, regardless of the effort involved
– RiggsFolly
Nov 10 at 0:58

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53235016%2fparameterizing-queries-in-a-function-with-only-sql-as-a-parameter%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53235016%2fparameterizing-queries-in-a-function-with-only-sql-as-a-parameter%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Schultheiß

Verwaltungsgliederung Dänemarks

Liste der Kulturdenkmale in Wilsdruff