php pdo prepared statements to prevent sql injection
https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection
//select data
include '../pdo-connect.php';
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
//single query
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare("select MemberID,Email from raj_members where MemberID=$id[1] limit 1");
$stmt->execute();
$row = $stmt->fetch();
//read sql protected
$email=$_POST[loginid];
$ps=md5($_POST[password]);
//echo $email . '--' .$ps;
$rowCount = 0;
include 'pdo-connect.php';
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql="SELECT pwd,emailid,isroot FROM usermaster WHERE emailid=:email AND pwd=:ps";
//echo $sql;
$stmt = $pdo->prepare($sql);
$stmt->bindParam("email", $email,PDO::PARAM_STR) ;
$stmt->bindParam("ps", $ps,PDO::PARAM_STR) ;
$stmt->execute();
$count=$stmt->rowCount();
$data=$stmt->fetch(PDO::FETCH_OBJ);
OR
--
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT * FROM customers where id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($id));
$row = $q->fetch(PDO::FETCH_ASSOC);
echo $row[id];
Database::disconnect();
//loop
$WorldSql = "SELECT id,woeid,collection_dt,trend,country,city FROM trends WHERE woeid = :WorldID AND trim(trend)!='' AND DATE(collection_dt)='$CurrentDate' ORDER BY trendid ASC";
//echo '<br> Sql Display '.$WorldSql;
$WorldSql = $pdo->prepare($WorldSql);
$WorldSql -> bindParam(':WorldID', $WorldID);
$WorldSql -> execute();
$result = $WorldSql->fetchAll(PDO::FETCH_OBJ);
foreach ($result as $key => $value) {
//$trendURL=trim($value->trendUrl);
$tweetTrend.= trim($value->trend) . ', ';
}
// insert data
if ($valid) {
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO customers (name,email,mobile) values(?, ?, ?)";
$q = $pdo->prepare($sql);
$q->execute(array($name,$email,$mobile));
$emplastId = $pdo->lastInsertId();
Database::disconnect();
header("Location: index.php");
}
//insert an array into a single MySQL Prepared statement w/ PHP and PDO
// or multiple sql statement or more query or php pdo insert array values
$mname = $_POST['mname'];
$tcode = $_POST['tcode'];
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
for($i=0;$i<count($_POST['categories']);$i++){
$data[] = $_POST['categories'][$i];
}
$sql = 'INSERT INTO modules (modulename, modulecode, occid) VALUES ';
$insertQuery = array();
$insertData = array();
foreach ($data as $row) {
$insertQuery[] = '(?, ?, ?)';
$insertData[] = $_POST['mname'];
$insertData[] = $_POST['tcode'];
$insertData[] = $row;
}
if (!empty($insertQuery)) {
$sql .= implode(', ', $insertQuery);
$stmt = $pdo->prepare($sql);
$stmt->execute($insertData);
}
// update data
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "UPDATE customers set name = ?, email = ?, mobile =? WHERE id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($name,$email,$mobile,$id));
Database::disconnect();
header("Location: index.php");
// delete data
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "DELETE FROM customers WHERE id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($id));
Database::disconnect();
header("Location: index.php");
// count records with injection preventation at virtualfollow/feed
$sql="SELECT woeid,trend FROM trends WHERE woeid=:Mywoeid AND trim(trend)=:Mytrend";
$stmt = $pdo->prepare($sql);
$stmt->bindParam("Mytrend", $trendDB,PDO::PARAM_STR) ;
$stmt->bindParam("Mywoeid", $WorldID,PDO::PARAM_STR) ;
$stmt->execute();
$count=$stmt->rowCount();
//$data=$stmt->fetch(PDO::FETCH_OBJ);
//echo '<br> total '. $count . ' ' . $trendDB;
if ($count < 1) {
insert data
}
//bind value example
$user_id = 16;
$query = $SQL->prepare('SELECT tags FROM users WHERE user_id = :uid');
$query->bindValue(':uid', $user_id, PDO::PARAM_INT);
$query->execute();
// count records -- see my-emarketing-home.php
$stmt = $pdo->prepare("SELECT ComposedID,EmailName,AdminID,Subject,default_email_id FROM raj_composed_emails WHERE AdminID = '$_SESSION[MemberID]' and default_email_id='1' ");
$stmt->execute();
$dRow = $stmt->fetch();
echo count($stmt);
//all your results is in $rows array
//$stmt->setFetchMode(PDO::FETCH_ASSOC);
if (count($stmt) > 0) {
$dmail = $dRow['Subject'];
$eid=$dRow['ComposedID'];
foreach ($dRow as $row) {
//output your rows
}
}
- See more at: http://www.startutorial.com/articles/view/php-crud-tutorial-part-3#sthash.XJpiJUqb.dpuf
//select data
include '../pdo-connect.php';
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
//single query
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $pdo->prepare("select MemberID,Email from raj_members where MemberID=$id[1] limit 1");
$stmt->execute();
$row = $stmt->fetch();
//read sql protected
$email=$_POST[loginid];
$ps=md5($_POST[password]);
//echo $email . '--' .$ps;
$rowCount = 0;
include 'pdo-connect.php';
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql="SELECT pwd,emailid,isroot FROM usermaster WHERE emailid=:email AND pwd=:ps";
//echo $sql;
$stmt = $pdo->prepare($sql);
$stmt->bindParam("email", $email,PDO::PARAM_STR) ;
$stmt->bindParam("ps", $ps,PDO::PARAM_STR) ;
$stmt->execute();
$count=$stmt->rowCount();
$data=$stmt->fetch(PDO::FETCH_OBJ);
OR
--
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT * FROM customers where id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($id));
$row = $q->fetch(PDO::FETCH_ASSOC);
echo $row[id];
Database::disconnect();
//loop
$WorldSql = "SELECT id,woeid,collection_dt,trend,country,city FROM trends WHERE woeid = :WorldID AND trim(trend)!='' AND DATE(collection_dt)='$CurrentDate' ORDER BY trendid ASC";
//echo '<br> Sql Display '.$WorldSql;
$WorldSql = $pdo->prepare($WorldSql);
$WorldSql -> bindParam(':WorldID', $WorldID);
$WorldSql -> execute();
$result = $WorldSql->fetchAll(PDO::FETCH_OBJ);
foreach ($result as $key => $value) {
//$trendURL=trim($value->trendUrl);
$tweetTrend.= trim($value->trend) . ', ';
}
// insert data
if ($valid) {
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO customers (name,email,mobile) values(?, ?, ?)";
$q = $pdo->prepare($sql);
$q->execute(array($name,$email,$mobile));
$emplastId = $pdo->lastInsertId();
Database::disconnect();
header("Location: index.php");
}
//insert an array into a single MySQL Prepared statement w/ PHP and PDO
// or multiple sql statement or more query or php pdo insert array values
$mname = $_POST['mname'];
$tcode = $_POST['tcode'];
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
for($i=0;$i<count($_POST['categories']);$i++){
$data[] = $_POST['categories'][$i];
}
$sql = 'INSERT INTO modules (modulename, modulecode, occid) VALUES ';
$insertQuery = array();
$insertData = array();
foreach ($data as $row) {
$insertQuery[] = '(?, ?, ?)';
$insertData[] = $_POST['mname'];
$insertData[] = $_POST['tcode'];
$insertData[] = $row;
}
if (!empty($insertQuery)) {
$sql .= implode(', ', $insertQuery);
$stmt = $pdo->prepare($sql);
$stmt->execute($insertData);
}
// update data
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "UPDATE customers set name = ?, email = ?, mobile =? WHERE id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($name,$email,$mobile,$id));
Database::disconnect();
header("Location: index.php");
// delete data
$pdo = Database::connect();
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "DELETE FROM customers WHERE id = ?";
$q = $pdo->prepare($sql);
$q->execute(array($id));
Database::disconnect();
header("Location: index.php");
// count records with injection preventation at virtualfollow/feed
$sql="SELECT woeid,trend FROM trends WHERE woeid=:Mywoeid AND trim(trend)=:Mytrend";
$stmt = $pdo->prepare($sql);
$stmt->bindParam("Mytrend", $trendDB,PDO::PARAM_STR) ;
$stmt->bindParam("Mywoeid", $WorldID,PDO::PARAM_STR) ;
$stmt->execute();
$count=$stmt->rowCount();
//$data=$stmt->fetch(PDO::FETCH_OBJ);
//echo '<br> total '. $count . ' ' . $trendDB;
if ($count < 1) {
insert data
}
//bind value example
$user_id = 16;
$query = $SQL->prepare('SELECT tags FROM users WHERE user_id = :uid');
$query->bindValue(':uid', $user_id, PDO::PARAM_INT);
$query->execute();
// count records -- see my-emarketing-home.php
$stmt = $pdo->prepare("SELECT ComposedID,EmailName,AdminID,Subject,default_email_id FROM raj_composed_emails WHERE AdminID = '$_SESSION[MemberID]' and default_email_id='1' ");
$stmt->execute();
$dRow = $stmt->fetch();
echo count($stmt);
//all your results is in $rows array
//$stmt->setFetchMode(PDO::FETCH_ASSOC);
if (count($stmt) > 0) {
$dmail = $dRow['Subject'];
$eid=$dRow['ComposedID'];
foreach ($dRow as $row) {
//output your rows
}
}
- See more at: http://www.startutorial.com/articles/view/php-crud-tutorial-part-3#sthash.XJpiJUqb.dpuf
Post a Comment