Is there any Online Web Tool that Convert mySQL Query To Zend FrameWork Query.
that is i type mySql Query and the Tool Convert it to Zend FrameWork equivalent Query
You don't need a tool for this. Within Zend Framework's Zend_Db, component, you can do:
$stmt = $db->query($sql);
If $sql is a select, then you can retrieve the data with:
$rows = $stmt->fetchAll();
Alternatively, ZF is just a PHP framework, so there's nothing stopping you continuing to use PDO or mysqli directly.
Related
I'm using a MySql database and was trying to find a MySQL alternative to tedious.js (a SQL server parameterised query builder).I'm using Node.js for my backend.
I read that the .raw() command from knex.js is susceptible to sql injection, if not used with bindings.
But are the other commands and knex.js as a whole safe to use to prevent sql injection? Or am I barking up the wrong tree?
Read carefully from knex documentation how to pass values to knex raw (http://knexjs.org/#Raw).
If you are passing values as parameter binding to raw like:
knex.raw('select * from foo where id = ?', [1])
In that case parameters and query string are passed separately to database driver protecting query from SQL injection.
Other query builder methods always uses binding format internally so they are safe too.
To see how certain query is passed to database driver one can do:
knex('foo').where('id', 1).toSQL().toNative()
Which will output SQL string and bindings that are given to driver for running the query (https://runkit.com/embed/2yhqebv6pte6).
Biggest mistake that one can do with knex raw queries is to use javascript template string and interpolate variables directly to SQL string format like:
knex.raw(`select * from foo where id = ${id}`) // NEVER DO THIS
One thing to note is that knex table/identifier names cannot be passed as bindings to driver, so with those one should be extra careful to not read table / column names from user and use them without properly validating them first.
Edit:
By saying that identifier names cannot be passed as bindings I mean that when one is using ?? knex -binding for identifier name, that will be rendered as part of SQL string when passed to the database driver.
mysql_query("INSERT INTO user_badges (user_id, badge_id)
VALUES ('". $_SESSION['user']['id'] ."',VIP)");
How can I make this safe?
Use newer functions like mysqli_query or even better PDO library.
Bind params, do not inject them in query.
Sanitize your params.
Read:
About PDO, About MySQLi, About sanitizing in PHP.
How do I get the raw SQL string sent to the server from the ORM? How do I intercept it in order to do custom work?
I want to forward the query to a custom driver. My target is MS SQL Server via NodeJS - from a Linux environment.
But I don't want to reinvent the wheel. I want to reuse the existing SqlServer query builder.
As long as your query is not executed by toArray() or something similar, you can use $q->sql() to retrieve the raw sql query that cakePHP will execute:
$q = $this->Model->find('all');
$this->log($q->sql()); // log raw sql query
$query = $this->find();
debug($query);
$query is a query object from where you can get the raw SQL expression.
I have a complicated query and since I need that my module work on both mysql and postgres, I need to write two version of it.
Unfortunately, I don't know how I can check if the db I use is mysql or postgres, to know which query use. Do you know if a function can return this value?
As #kordirko says, one option is to query the server version: SELECT version(); will work on both MySQL and PostgreSQL, though not most other database engines.
Parsing version strings is always a bit fragile though, and MySQL returns just a version number like 5.5.32 wheras PostgreSQL returns something like PostgreSQL 9.4devel on x86_64-unknown-linux-gnu, compiled by gcc (GCC) 4.7.2 20121109 (Red Hat 4.7.2-8), 64-bit. What do you do if you're connecting to a PostgreSQL-compatible database like EnterpriseDB Postgres Plus, or a MySQL-compatible database?
It's much safer to use the Drupal function for the purpose, DatabaseConnection::databaseType. This avoids a query round-trip to the DB, will work on databases that won't understand/accept SELECT version(), and will avoid the need to parse version strings.
You'll find this bug report useful; it suggests that the correct usage is Database::getConnection()->databaseType().
(I've never even used Drupal, I just searched for this).
As long as the abstract DatabaseConnection class extends PDO class, you can invoking pdo methods in order to know the current database driver.
For instance:
$conn = Database::getConnection();
print $conn->getAttribute($conn::ATTR_DRIVER_NAME); #returns mysql, pgsql...
There is a second way to do it using DatabaseConnection::driver():
print $conn->driver();
or DatabaseConnection::databaseType();
print $conn->databaseType();
Note that DatabaseConnection::driver() and DatabaseConnection::databaseType() are similar functions but not equals!
The return value from DatabaseConnection::driver() method depends on the implementation and other factors.
in the Drupal Database API page:
database.inc abstract public DatabaseConnection::driver()
This is not necessarily the same as the type of the database itself. For instance, there could be two MySQL drivers, mysql and mysql_mock. This function would return different values for each, but both would return "mysql" for databaseType().
In the most cases you just gonna want to use only
$conn->getAttribute($conn::ATTR_DRIVER_NAME)
or $conn->databaseType()
If you want get more specific properties, you should take advantage the PHP ReflectionClass features:
$conn = Database::getConnection();
$ref = new ReflectionClass($conn);
#ref->getProperties, ref->getConstants $ref->isAbstract...
Reference:
PDO::getAttribute
PDO::ATTR_DRIVER_NAME
Drupal Database API
Drupal Base Database API class
I am using perl dbi connection to pull data remotely. I am looking to compress the data if possible.
Is there a way to do a file compression over the net with perl dbi for mysql?
Here is my snippet for getting data:
my $sth = $dbh->prepare("SELECT UUID(), '$node', 1, 2, 3, 4, vts FROM $tblist");
$sth->execute();
while (my($uid, $hostnm,$1,$2,$3,$upd,$vts) = $sth->fetchrow_array() ) {
print $gzip_fh "rec^A$uid^Ehost^A$hostnm^E1^A$1^E2^A$2^E3^A$3^E4^A$upd^Evts^A$vts^D";
}
$sth->finish;
Best option will be to use prepared statements; with this, once you have compiled the statement once you just have to send the arguments over the wire each time you need to run the queries.
The example here shows how to perform a simple prepare, if you are going to utilize the same query over and over again you should keep your $sth which you can continue to call $sth->execute() on with new variables. The reason this cuts down on your network traversal is because you're not sending the query each time you run $sth->execute($var), instead you're just passing an ID for the prepared statement and the variables that go into the ? placeholders.
$sth = $dbh->prepare("select * from table where column=?");
$sth->execute($var);