How to use prepare statements / bind values in a query in Joomla 3?

此生再无相见时 提交于 2021-01-27 14:13:57

问题


I'd like to know how to bind values in where clause. I have understood that is something that MUST be done for security reasons.

$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query
    ->select("*")
    ->from($db->quoteName("food"))
    ->where("taste = :taste")
    ->bind(':taste', 'sweet');
$db->setQuery($query);
$rows = $db->loadAssocList();

I'm getting this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':taste' at line 3 SQL=SELECT * FROM food WHERE taste = :taste

My code is based on this post. It said that in Joomla 3.1 only "PDO/Sqlite and PDO/Oracle are supporting prepared statements", I am using Joomla 3.2.1 and MySQL, and in my Joomla configuration MySQLi. Could be that the problem?

I am quite confused because I dont know what API / Class have to follow.

  • JDatabase for Joomla 3.x there is no bind method, and the information is scant, seems like is not completed.
  • JDatabase for Joomla 2.5 has more information, but obviously is not my version. there is no bind method.
  • JDatabaseQuery for Joomla 3.x there is no bind method
  • JDatabaseQuerySqlite for Joomla 3.x has bind method
  • JDatabaseQueryPdo for Joomla 3.x there is no bind method
  • JTable for Joomla 3.x has bind method

Even I'm starting to doubt if I have to use JFactory::getDbo() to Select/Insert/Update/Delete data in Joomla DB.

Thanks in advance.


回答1:


As far as I know, you can't use prepared statements nor bind values with Joomla.

If you read the Secure Coding Guideliness from the Joomla documentation (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries), they don't talk about prepared statements, only about using casting or quoting to avoid SQL injection.




回答2:


In Joomla there is normally the check(), bind(), store() triple from JTable that prevents injection.

JDatabaseQueryPreparable has a bind method that you may want to look at. You may also want to look at the docblocks for JDatabaseQueryLimitable.

One thing I would suggest is that when you get that error, usually it is really because you do have a problem in your query (often wrong quoting or something being empty that needs not to be empty. To see your generated query you an use

echo $query->dump();

and then try running it directly in sql.

Also in general it's wise to use $db->quote() and $db->quoteName() if you are using the API that way you won't run into quoting problems. I think you may have a quoting problem but it's hard to know without knowing your field names.




回答3:


From Joomla4, binding data to named parameters is possible with the bind() method. This has been asked for for many years and finally it has come to the CMS.

  • Early reference in Joomla Docs: https://docs.joomla.org/J4.x:Moving_Joomla_To_Prepared_Statements
  • Proper Joomla Documenation: https://docs.joomla.org/J4.x:Selecting_data_using_JDatabase
  • Here's a good tutorial: https://www.techfry.com/joomla/prepared-statements-in-joomla-4

The syntax is precisely as prophecized in the snippet in the post

$taste = "sweet";

$db = JFactory::getDbo();
$query = $db->getQuery(true)
    ->select("*")
    ->from($db->quoteName("food"))
    ->where($db->quoteName("taste") . " = :taste")
    ->bind(":taste", $taste);
$db->setQuery($query);
$rows = $db->loadAssocList();


来源:https://stackoverflow.com/questions/24079199/how-to-use-prepare-statements-bind-values-in-a-query-in-joomla-3

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!