Posted: Thu Aug 24, 2006 6:41 am
in PDO it is yes, but not if you are interacting with the DB directly.
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
just reviewed the code posted earlier in this thread and he uses mysql variables.ole wrote:in PDO it is yes, but not if you are interacting with the DB directly.
Code: Select all
SQL:
SELECT @message_id := $message_id;
SELECT message.body FROM message WHERE message.message_id = @message_id;Dont think that I can better it, I just like to do it myself. Get to know whats going on under the hood better.ole wrote:I'd be interested to know if you think you could better it. Post back.
Not quite true. What it does: it guaranties that in the second SELECT the value would be scalar. Sure, it may be still not the value you expect, because first SELECT is open to sql injection.sike wrote: just reviewed the code posted earlier in this thread and he uses mysql variables.
that won't protect you from anything - so you are right (:
that's the typical sql injection. doesn't matter if its the first or the second query that is vulnerable (at least for me).Weirdan wrote:Not quite true. What it does: it guaranties that in the second SELECT the value would be scalar. Sure, it may be still not the value you expect, because first SELECT is open to sql injection.sike wrote: just reviewed the code posted earlier in this thread and he uses mysql variables.
that won't protect you from anything - so you are right (:
Code: Select all
<?php
$bar = 'something';
mysql_query('SELECT @foo := $bar', $link);
$result = mysql_query('SELECT * FROM `table` WHERE `column` = @foo', $link);
?>yes.Jenk wrote:I've not actually tested it.. but can you run multiple queries like that and keep the value of the variables?
Code: Select all
<?php $bar = 'something'; mysql_query('SELECT @foo := $bar', $link); $result = mysql_query('SELECT * FROM `table` WHERE `column` = @foo', $link); ?>
Code: Select all
insert into product_category (title) values ('category title');
select @category := LAST_INSERT_ID();
insert into product (title,category_id) values ('Product1',@category);
insert into product (title,category_id) values ('Product2',@category);
insert into product (title,category_id) values ('Product3',@category);
insert into product (title,category_id) values ('Product4',@category);
Code: Select all
mysql> SELECT @foo := 10, @bar := 20;
+------------+------------+
| @foo := 10 | @bar := 20 |
+------------+------------+
| 10 | 20 |
+------------+------------+
1 row in set (0.00 sec)
mysql> SELECT @foO;
+------+
| @foO |
+------+
| 10 |
+------+
1 row in set (0.00 sec)