ADOdb's Prepare Method and MySQL

Permalink 1 user found helpful
Howdy,

I am wondering if anyone knows if using ADOdb's prepare statement works 'properly' for a MySQL connection? I'm not clear on whether I'm actually successfully preventing SQL injection, or if the prepare method is just emulated for MySQL.

Would something like this:

$prepped = $db->Prepare("INSERT INTO my_table (field_1, field_2) VALUES (?, ?)");
     $db->Execute($prepped, array($someValue, $anotherValue));


be safe to use in a MySQL connection?

Thanks!

-Landson

Landson
View Replies: View Best Answer
jordanlev replied on at Permalink Reply
jordanlev
EDIT: Sorry, didn't see the exact code -- there's a simpler way -- see my next response below.
jordanlev replied on at Permalink Best Answer Reply
jordanlev
I believe your code will work, but there's a simpler way (that is also more standard across the C5 code):
$sql = "INSERT INTO my_table (field_1, field_2) VALUES (?, ?)";
$vals = array($someValue, $anotherValue);
$db->Execute($sql, $vals);
//Or if it's a SELECT statement and you want the results of the query:
// $result = $db->Query($sql, $vals);

This of course assumes you've set the $db variable already with:
$db = Loader::db();
Landson replied on at Permalink Reply
Landson
Thanks Jordan! My code is clearer and cleaner now, always nice to receive help.
trobro replied on at Permalink Reply
Not entirely true, at least not in Concrete 5.6.2.1.

The default Concrete driver for ADOdb is 'mysqlt', as can be seen on line 500 in concrete/config/base.php. That driver doesn't have true support for prepared statements. Instead they are emulated, as can be seen on line 993 in concrete/libraries/3rdparty/adodb/adodb.inc.php.

Strings are quoted by that emulation, so I guess it's safe.

You can get real prepared statements by switching to the PDO driver. Just add this line to your config/site.php:

define('DB_TYPE', 'pdo_mysql');


I've verified this by adding a debug-print in the emulation code. The debug-print is executed when using mysqlt, but not when using pdo_mysql.
trobro replied on at Permalink Reply
After switching to the PDO driver, I started getting error messages when changing settings in the dashboard. I switched back to the mysqlt driver, and then I no longer got the error messages.

So I guess we can't use prepared statements in Concrete 5.6. Bummer.