ADOdb's Prepare Method and MySQL1 user found helpful
I am wondering if anyone knows if using ADOdb's prepare statement works 'properly' for a MySQL connection? I'm not clear on whether I'm actually successfully preventing SQL injection, or if the prepare method is just emulated for MySQL.
Would something like this:
$prepped = $db->Prepare("INSERT INTO my_table (field_1, field_2) VALUES (?, ?)"); $db->Execute($prepped, array($someValue, $anotherValue));
be safe to use in a MySQL connection?
$sql = "INSERT INTO my_table (field_1, field_2) VALUES (?, ?)"; $vals = array($someValue, $anotherValue); $db->Execute($sql, $vals); //Or if it's a SELECT statement and you want the results of the query: // $result = $db->Query($sql, $vals);
This of course assumes you've set the $db variable already with:
$db = Loader::db();
The default Concrete driver for ADOdb is 'mysqlt', as can be seen on line 500 in concrete/config/base.php. That driver doesn't have true support for prepared statements. Instead they are emulated, as can be seen on line 993 in concrete/libraries/3rdparty/adodb/adodb.inc.php.
Strings are quoted by that emulation, so I guess it's safe.
You can get real prepared statements by switching to the PDO driver. Just add this line to your config/site.php:
I've verified this by adding a debug-print in the emulation code. The debug-print is executed when using mysqlt, but not when using pdo_mysql.
So I guess we can't use prepared statements in Concrete 5.6. Bummer.