Jump to content

Search the Community

Showing results for tags 'prepared statements'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • W3Schools
    • General
    • Suggestions
    • Critiques
  • HTML Forums
    • HTML/XHTML
    • CSS
  • Browser Scripting
    • JavaScript
    • VBScript
  • Server Scripting
    • Web Servers
    • Version Control
    • SQL
    • ASP
    • PHP
    • .NET
    • ColdFusion
    • Java/JSP/J2EE
    • CGI
  • XML Forums
    • XML
    • XSLT/XSL-FO
    • Schema
    • Web Services
  • Multimedia
    • Multimedia
    • FLASH

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Languages

Found 2 results

  1. BACKGROUND: i have created a search box for users to query the Grammar Captive database with Natural Language functionality. As the query string results in a single variable that is read into an AGAINST statement (see below), I am concerned about the overall safety of my database and web application. QUESTION ONE: Is it possible to write a prepared statement with the value of an AGAINST clause as an unknown? If not, what must one do in order to prevent against SQL injection? WHAT I HAVE CREATED SELECT letter_no, letter_title, letter_abstract, submission_date, revision_date, MATCH (letter_title, letter_abstract, letter_body) AGAINST ('$search_input') AS letter_score FROM sevengates_letter WHERE MATCH (letter_title, letter_abstract, letter_body) AGAINST ('$search_input') ORDER BY letter_score DESC WHAT I WANT TO CREATE SELECT letter_no, letter_title, letter_abstract, submission_date, revision_date, MATCH (letter_title, letter_abstract, letter_body) AGAINST ('$search_input') AS letter_score FROM sevengates_letter WHERE MATCH (letter_title, letter_abstract, letter_body) AGAINST (?) ORDER BY letter_score DESC QUESTION TWO: Will the "What I want to create" version fly? Roddy
  2. Hi all, I've been working out my learning issues slowly and was able to figure out the process to communicate from html form to PDO to Mariadb fine. I decided to try to work with Prepared Statements via PDO into my Mariadb and am having some probs I can't get through. I'm trying to simplify things as much as possible so I can work it out, but don't think I've got it. Can anyone help point out a better approach to using prepared statements for a simple form with a few q's. I've scaled down my practice files to ease of use. I'm using my own Apache test server locally, w/ latest ver of apache and Mariadb 10.1.26 on windows 8.1 Here is simple html file: <!doctype html> <html lang="en-US"> <!-- ###################################################################################################/--> <!-- Main Page for Monsters of SciFi Tribute -- Testing Only /--> <!-- ###################################################################################################/--> <head> <meta charset="UTF-8"> <title>SciFi Monsters</title> <link href="http://localhost/CheckFormData.php" type="text/php" rel="stylesheet"> </head> <body> <br> <br> <br> <!-- This section is for: Take a quick Godzilla survey /--> <div id="survey-div"> <form action = "CheckFormData.php" method = "post"> <fieldset id="survey-fieldset"> <legend>Take one of our quick surveys.</legend> <p> <label>1. Who is your <strong>favorite monster</strong> character (Godzilla related or not):</label> <input id="FavMonster" name="FavMonster" type="text" value="" /> </p> <p> <label>2. Who is your <strong>favorite villian</strong>:</label> <input id="FavVillian" name="FavVillian" type = "text" /> </p> <p> <label>3. What is your <strong>favorite monster related movie</strong>:</label> <input id="FavMovie" name="FavMovie" type = "text" /> </p> <p> <label>Press 'Submit' when you are done.</label> <input type="submit" value="Submit" name="submit_button" /> </p> </fieldset> </form> </div> </body> </html> Here is my CheckFormData.php test file (what a mess, haha): <!DOCTYPE html> <html lang = "en-US"> <head> <meta charset = "UTF-8"> <title>CheckFormData.php</title> </head> <!-- The attempt with this file is to verify all user entered data is formatted correctly, then establish a database connection, and attempt to communicate that data to the database, all from one file. /--> <body> <?php // define variables and set to empty values // 1st - Set variables for form array $_POST $SurveyForm = $_POST; $Q1 = $SurveyForm['FavMonster']; $Q2 = $SurveyForm['FavVillian']; $Q3 = $SurveyForm['FavMovie']; // Set any functions up // validate all form data function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } // We are NOT testing for 'required' fields if ($_SERVER["REQUEST_METHOD"] == "POST") { //Start validation on all Q's test_input($Q1); test_input($Q2); test_input($Q3); // Start move validation if (!preg_match("/^[a-zA-Z ]*$/",$Q1)) { $SQErr = "Only letters and white space allowed"; } if (!preg_match("/^[a-zA-Z ]*$/",$Q2)) { $SQErr = "Only letters and white space allowed"; } if (!preg_match("/^[a-zA-Z ]*$/",$Q3)) { $SQErr = "Only letters and white space allowed"; } } // OK, presuming my validations are working, now attempt to connect to database // PDO connection check $servername = "localhost"; $username = "Any"; $password = "BurgerKing"; $dbname = "test-survey1"; try { //Attempt MySQL server connection $conn = new PDO("mysql:host=$servername; dbname=$dbname", $username, $password); // set the PDO error mode to exception $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // Prepare sql and bind parameters $stmt = $conn->prepare("INSERT INTO [test-survey1].favorites (FavMonster, FavVillian, FavMovie) VALUES (:Q1, :Q2, :Q3)"); $stmt->bindParam(':FavMonster', $Q1); $stmt->bindParam(':FavVillian', $Q2); $stmt->bindParam(':FavMovie', $Q3); $Q1; $Q2; $Q3; $stmt->execute(); echo "New records created successfully"; } catch(PDOException $e) { echo "Connection failed: " . $e->getMessage(); } $conn = null; ?> </body> </html> ** What this all gives me right now is: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined
×