PDO and SQL injection

photography · April 18, 2018, 8:01am

With thanks to @Dormilich and @spaceshiptrooper I done some work to use prepared statements on a fairly complex Query in my opinion anyway. I was looking at this and wondering if there was a simpler way of doing this or even a way to use less code. This has been a learning experience for me and hopefully my search page will now be absolutely injection proof.

Also if someone can point me at a method of putting up a message if the search has ho results, PDO seems to not work with some of the “solutions” out there

<?	
$s1 = $_REQUEST["search1"];
$s2 = (explode(" ",$s1));

include ("navigation/constants.php"); 
		 		
foreach ($s2 as $s2b => $s2a)
	{
	If ($s2b < '1') {
 		$s2c = "SELECT blog_name,blog_url, blog_img, blog_desc FROM blogs WHERE blog_text LIKE ? ";
	}

	If ($s2b > '0') {
 		$s2c = $s2c."AND blog_text LIKE ? ";
	}	
}
	$s2c = $s2c." ORDER by blog_id DESC ";
	
		$sqls= $pdo->prepare($s2c);
	

foreach ($s2 as $s2b => $s2a)
	{
	If ($s2b < '1') {
 		$s2c1 = $s2b + 1;
 		$s2a1 = "%".$s2a."%";
 		 		
 	$sqls->bindParam($s2c1,$s2a1);	
	}

	If ($s2b > '0') {
 		$s2c1 = $s2b + 1;
 		 		
 	$s2a1 = "%".$s2a."%";
 		 		
 	$sqls->bindParam($s2c1,$s2a1);	 		
	}	
}
	 $sqls->execute();
	 
	
				while ($row = $sqls->fetch(PDO::FETCH_ASSOC)) {
					      
					      $k1 = htmlentities($row['blog_name']);
							$k2 = htmlentities($row['blog_url']);
							$k3 = htmlentities($row['blog_img']);
							$k4 = htmlentities($row['blog_desc']);
							
														
	       				 echo "<div id=\"block1\"><div id=\"suba\"><h2>".$k1."</h2>  <a href=\"../blog/".$k2.".html\"><img src=\"../img/".$k3."\" width=\"98%\" align=\"left\" ></a><div id=\"subat\">".$k4." <a href=\"../blog/".$k2.".html\">more about ".$k1."</a></div></div></div>";
	       				 }
	       				 
	     
?>

Dormilich · April 18, 2018, 8:16am

Of course there is. given in pseudo code:

sql = 'select ... from ... ' concat implode 'AND' with map item => '?'
query = prepare sql

map item => '%item%' each item => query.bind item

query.execute

photography · April 18, 2018, 8:25am

I know this is asking a lot but please explain to me what this does, and what is pseudo code?

photography · April 18, 2018, 8:30am

Ignore the question, I understand

Dormilich · April 18, 2018, 8:33am

pseudo code is a programming code-like text (which obviously doesn’t run in any programming language), that explains the steps of a real programme without using the language-specific commands.

for example map item => '?' would be some_array.map(item => '?') in JavaScript and array_map(function ($item) { return '?'; }, $some_array); in PHP, which describes the mapping of all array values of some_array into ? characters.

photography · April 18, 2018, 9:43am

Thanks for your explanation

ahundiak · April 18, 2018, 12:59pm

Take a look at the Doctrine Database Abstraction Layer’s query builder.

The DBAL is a thin layer over PDO and makes using prepared statements much easier. Especially the binding.

benanamen · April 18, 2018, 3:52pm

I highly recommend you stay away from the cryptic variable naming. Use descriptive names.

photography · April 20, 2018, 6:36am

they may seem cryptic to you, but to me they are descriptive.

droopsnoot · April 20, 2018, 9:07am

That’s perfectly fine. Will they still be clear in two years when you come back in to modify the code for something? If still yes, then it’s no problem.

photography · April 20, 2018, 4:56pm

There is not that much code on a page that I can’t work it out

system · July 20, 2018, 11:56pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.