Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP pdo bindParam type management

Tags:

php

mysql

pdo

This is the post form:

 $funcname->name= htmlentities($_POST['name']);
 $funcname->insert();

this will be the function insert on class funcname which will insert the data to column named name

$this->conn->beginTransaction();
$stmt = $this->conn->prepare("INSERT INTO nameTBL (name) values (:name)";
$stmt->bindParam(':name', $this->name, PDO::PARAM_INT);
if ($stmt->execute()) {
         $this->conn->commit(); //This will save your changes
         $this->conn->exec('UNLOCK TABLES ' . self::$table_name);
         header('Location: ../');
         exit();
} else {
         $this->conn->rollBack(); //This will undo your changes
         $this->conn->exec('UNLOCK TABLES ' . self::$table_name);
         header('Location: ../');
         exit();
}

Now question is i have set PDO::PARAM_INT which should not allow characters but only integer why i am able to post text to database(table)?

is there any how i can highly restrict the data type on bindParam here.

thanks in advance.

like image 298
user3286490 Avatar asked Nov 08 '22 22:11

user3286490

1 Answers

You've got several mistakes in your code.

However, let's go over what the types PDO::PARAM_INT, PDO::PARAM_STR and PDO::PARAM_NULL are telling MySQL to do.

Those values are telling PDO how to treat the input, not to disallow input. If you send text, but the column is int then MySQL will attempt to coerce the data into int. It won't tell you "you entered abcd but expected value was integer". You must do this check on your own before passing data to PDO.

Now onto other problems:

  • Don't use bindParam. bindParam accepts the value by reference. This is intended for when you invoke stored procedures and variable is supposed to be modified based on procedure's output. Use bindValue. If you tried to do the following with bindParam, it wouldn't work and you'd get an error:

    $stmt->bindParam(':my_column', 1, PDO::PARAM_INT); // It fails and yields an error

  • Don't lock tables. You're already using transactions, no need to lock the table, MySQL handles concurrency and access for you.

Bottom line - perform validation before using PDO for inserting. PDO helps you clean the input based on connection information (among other things). It won't perform validation.

like image 83
N.B. Avatar answered Nov 15 '22 06:11

N.B.
Sign in to Comment

Related questions

Can't select rows individually without grouping
Creating a DataBase Table inside a Class as a Function
PhpStorm laravel 5 method not found
RewriteRule not working on production server
Zend Framework 2 - replace closures by factory in Module.php
Why I can't fetch data on the sometime by using curl_setopt and Ajax jquery?
ajax request not working for laravel 5.0
CakePHP 3.1 patchEntity always marking belongsToMany associations as dirty when clean
Generate random number in range [M....N] with mean X
How to send headers with phpunit api request?
When to create and delete PayPal WebProfile object (PHP)
Change 'descendants' relationship to 'siblings' relationship
Magento 1.9.2 - Save custom admin form product new & edit page (custom tab)
Multiple form include symfony (same page)
force download file with laravel
Chinese characters are not displaying in php from mysql database
How to make a form with that picks questions and saves answers from/into database
How can I get all points within a given range based on its latitude and longitude?
use Ionic framework with php files

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!