I use following code
$this->getDb()->fetchRow($sql, $params);
Is it free from sql injection? Please guide me. How i can make it free from sql injection.
use Zend_Db class, for Escaping
used the validator of the Zend_Form in order to filter the input values.
3.Uses Prepared Statements internally as much as possible like :
// Build this query:
// SELECT product_id, product_name, price
// FROM "products"
// WHERE (price < 100.00 OR price > 500.00)
// AND (product_name = 'Apple')
$minimumPrice = 100;
$maximumPrice = 500;
$prod = 'Apple';
$select = $db->select()
->from('products',
array('product_id', 'product_name', 'price'))
->where("price < $minimumPrice OR price > $maximumPrice")
->where('product_name = ?', $prod);
read more in this link :
http://static.zend.com/topics/Webinar-Zend-Secure-Application-Development-with-the-Zend-Framework.pdf
Related
I am working on a query that has an optional filter, so lets assume the table name is products and the filter is the id (primary key)
If the filter is not present I would do something like this:
SELECT * FROM products;
If the filter is present I would need to do something like this:
SELECT * FROM products WHERE id = ?;
I have found some potential solutions that can mix the 2 in sql rather than doing conditions in the back-end code itself
SELECT * FROM products WHERE id = IF(? = '', id, ?);
OR
SELECT * FROM products WHERE IF(? = '',1, id = ?);
I was just wondering which one would be faster (In the case of multiple filters or a very big table) Or is there a better solution to handle this kind of situation?
A better approach is to construct the WHERE clause from the parameters available. This allows the Optimizer to do a much better job.
$wheres = array();
// Add on each filter that the user specified:
if (! empty($col)) { $s = $db->db_res->real_escape_string($col);
$wheres[] = "collection = '$s'"; }
if (! empty($theme)) { $s = $db->db_res->real_escape_string($theme);
$wheres[] = "theme = '$s'"; }
if (! empty($city)) { $s = $db->db_res->real_escape_string($city);
$wheres[] = "city = '$s'"; }
if (! empty($tripday)) { $s = $db->db_res->real_escape_string($tripday);
$wheres[] = "tripday = '$s'"; }
// Prefix with WHERE (unless nothing specified):
$where = empty($wheres) ? '' :
'WHERE ' . implode(' AND ', $wheres);
// Use the WHERE clause in the query:
$sql = "SELECT ...
$where
...";
Simplest approach is OR:
SELECT *
FROM products
WHERE (? IS NULL OR id = ?);
Please note that as you will add more and more conditions with AND, generated plan will be at least poor. There is no fit-them-all solution. If possible you should build your query using conditional logic.
More info: The “Kitchen Sink” Procedure (SQL Server - but idea is the same)
I have tried to make codeigniter query from mysql query
my mysql query is:
select *
from class_routine
where
semester='$semester'
and day='$day'
and time_schedule='$time_schedule'
and (batch='$batch' or section='$section' or teacher='$teacher' or room='$room');
for above query what will be the codeigniter query ?
I will use this query in model.
First, you should consider looking at the Documentation before asking any question, then specify what you've looked at and what you did try, posting your code.
Anyways, try this and let me know:
$this->db->where(array('semester' => $semester, 'day' => $day, 'time_schedule' => $time_scehdule));
$this->db->where("batch = $batch OR section = $section OR teacher = $teacher OR room = $room", NULL, FALSE);
$result = $this->db->get('class_routine')->result();
When in doubt is perfectly safe to use a normal query:
$result = $this->db->query("SELECT * FROM ....")->result();
How can I do a Query like this using the Zend framework
SELECT * FROM `productos` AS `p`
LEFT JOIN (SELECT SUM(cantidad) AS transferencias FROM transferencias WHERE upc = p`.`upc` and sucursal = 10)
AS `trans` ON trans.upc = p.upc AND trans.sucursal_clave_destino = 10
Thank you in advance.
You need to try this one.
I can't try it but the way of resolve it you can use from my query
$this->getAdapter()
->select()
->from(array('p' => 'productos'))
->joinLeft(array('trans' => $this->getAdapter()
->select()
->from('transferencias', 'SUM(cantidad)')
->where('upc IN (?)', $this->getAdapter()
->select()
->from('productos', 'upc')
)->where('sucursal = ?', 10)
), 'trans.upc = p.upc')
->where('trans.sucursal_clave_destino = ?', 10)
->query()
->fetchAll();
First of all, I'm afraid it's impossible for your query to run because the syntax is wrong. The correct way to write it is:
SELECT *, SUM(trans.cantidad) as cantidad
FROM productos AS p
LEFT JOIN transferencias AS trans
ON p.upc = trans.upc
WHERE trans.sucursal_clave_destino = 10 AND trans.sucursal = 10
First approach
I assume you have created your model in this manner: http://framework.zend.com/manual/1.12/en/learning.quickstart.create-model.html
For example, in your Default_Model_ProductosMapper:
function getXXXX(){
$select = "[THE ABOVE QUERY]";
$result = $this->getDbTable()->getAdapter()->fetchAll($select);
return $result;
}
This is the most basic approach.
Second approach
By using Zend_Db functions, which is like prepare statement in database concept. Only use it to increase safety if you are passing parameters from user input (see SQL injection), otherwise it's safe to use the first approach.
Still, in your mapper:
function getXXXX(){
$query = $this->getDbTable()->getAdapter()->select();
$query->from('productos', array());
$query->joinLeft('transferencias', 'productos.upc = transferencias.upc', array('SUM(trans.cantidad) as cantidad));
$query->where("trans.sucursal_clave_destino = 10");
$query->where("trans.sucursal = 10");
// get result
$stmt = $this->getDbTable()->getAdapter()->query($query);
$result = $stmt->fetchAll();
return $result;
}
Third approach
If you are using Database ORM like Doctrine2, you can also write SQL or DQL (Doctrine Query Language) queries, which syntax is highly similar with SQL queries but absolutely NOT the same mechanism. The document is here. This document covers both approaches above for DQL and also will tell you where to put them.
As you have observed I have put an ambiguous title for this question, as simply I do not realize (by lack of deep knowledge) if this is the true problem or not.
Let's start then with a short description:
Here is where I select my products:
$select_prod = "SELECT * FROM product WHERE product_id IN ($some_array)";
After that here is where I define the pagination stuff:
$query_page = mysql_query($select_prod);
$product_total = mysql_num_rows($query_page);
$page_rows = 4;
$last = ceil($product_total/$page_rows);
if ($page < 1) {
$page = 1;
} elseif ($page > $last) {
$page = $last;
}
$limit = 'limit ' .($page - 1) * $page_rows .',' .$page_rows;
And where I prepare the render
$page_query = mysql_query($select_prod . $limit);
$results = array();
while ($array_filter = mysql_fetch_array($page_query)) {
$results[] = $array_filter;
}
Until this point everything is flowing easily, and I get my products listed as I wanted, BUT in random ORDER.
I have tried to include "ORDER BY price ASC" at the end of the first query like this:
$select_prod = "SELECT * FROM product WHERE product_id IN ($some_array) ORDER BY price ASC";
but for a strange reason fails to list the products with the error:
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given...
I've already had several hours in trying to find where could be the problem, and this forum seems to be the final try for me, after that I would let them order as they want to.
You really need to print out your full query directly before execution. Try this instead:
$select_prod = "SELECT * FROM product WHERE product_id IN ($some_array) ORDER BY price ASC ";
Or, change the limit line to have a space before the limit.
What I believe the problem is the the lack of space before limit. The snippet in ()limit 100 is valid SQL. The snippet in () order by price asclimit 100 is not valid SQL.
I have the following DQL query:
$query = Doctrine_Query::create()
->select('p.genre')
->from('Profile p')
->where('sf_guard_user_id = ?', 11);
If I return the SQL syntax with $sql = $query->getSqlQuery(); I get:
SELECT p.id AS p__id, p.genre AS p__genre FROM profile p WHERE (p.sf_guard_user_id = ?)
This is not normal. It should be 11 not ?:
SELECT p.id AS p__id, p.genre AS p__genre FROM profile p WHERE (p.sf_guard_user_id = 11)
And if I write:
$query = Doctrine_Query::create()
->select('p.genre')
->from('Profile p')
->where('sf_guard_user_id = ' . 11);
The SQL syntax is correct.
Normally DQL should do this automatically. Why isn't happening ?
This is how prepared statement works. Values will be bound on database server Hence doctrine can not show the real values with the query.
Doctrine will show a question mark if you use prepared statement not the real value.
Checkout how it is describing here