i using prepared statements search functionality using pdo , using clause. mysql 5.5.32
function dblink(){ # hidden # $conn = new pdo("mysql:host=localhost;dbname=$database", $username, $password, array( pdo::attr_persistent => true, pdo::attr_emulate_prepares => false, pdo::attr_errmode => pdo::errmode_exception, pdo::attr_default_fetch_mode, pdo::fetch_obj )); return $conn; } $conn = dblink(); $query = "select * tablename attrib ? ;"; $stmt = $conn->prepare($query); $stmt->execute(array($_post['field']."%")); $results = $stmt->fetchall(pdo::fetch_obj); this dumps table contents when user enters % field in html form. thought prepared statement handle , there % in execute matches substring entered.
how use post field normal text doesn't cause such problem?
this dumps table contents when user enters % field in html form.
yes. that's exact purpose of operator.
no, has nothing prepared statement. latter used format data, not interfere query logic.
if don't way code works - change it. @ moment works way coded, no flaws.
Comments
Post a Comment