Can you run queries in PDO without preparing them? I am aware of the SQL-Injection issues that can arise with this but I am in a test environment.
I want to be able to write pure MySQL queries and just execute them, not have to prepare the query, bind the placeholders etc...
I would like to be able to execute a query like the following instantly.
INSERT INTO table (table_id, car, bike, date) VALUES (1, 'bmw', 'suzuki', 2004)
I seem to be getting errors running execute() directly on this query.
Thanks in advance.
PDO::query() prepares and executes an SQL statement in a single function call, returning the statement as a PDOStatement object.
SELECT query without parameters If there are no variables going to be used in the query, we can use a conventional query() method instead of prepare and execute. $stmt = $pdo->query("SELECT * FROM users"); This will give us an $stmt object that can be used to fetch the actual rows.
The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks.
Description ¶ Prepares an SQL statement to be executed by the PDOStatement::execute() method. The statement template can contain zero or more named (:name) or question mark (?) parameter markers for which real values will be substituted when the statement is executed.
PDO::query () prepares and executes an SQL statement in a single function call, returning the statement as a PDOStatement object.
Use the PDO::exec method to execute a statement that returns no result set. Use the PDO::query method to execute a statement that returns one or more result sets. Important: To avoid the security threat of SQL injection attacks, use the PDO::exec or PDO::query method only to execute SQL statements composed of static strings.
If you were using PDO, it would be very simple. Just a few parameters in the main configuration file would need changing, and you’d be done. Parameter binding is a feature that allows you to replace placeholders in your query with the value of a variable. It means: You don’t have to know, at runtime, how many placeholders you will have.
"MySQL doesn't supporting binding output parameters via its C API. You must use SQL level variables:" So the 'workaround' for Mysql and PDO is to use two SQL calls. Hope this helps someone.
The idea of prepared statements is not primarily that you can bind parameters, but that you can reuse the compiled statement multiple times, which should increase efficiency.
The prepare-execute workflow isn't too inconvenient for one-off use cases, but PDO offers other methods as well:
exec
executes a statement and returns the number of affected rows. It is useful for initialization stuff, but not for SELECT
s.query
is useful for static queries that don't involve untrusted input. It is similar to prepare-execute, but does not allow parameters, and does not allow the reuse of the compiled query.Due to these limitations, they should generally only be used on static queries (i.e. the query is a plain string and not constructed from concatenations with variables).
You can safely escape user input with the quote
method, so you could do something like
// untrusted data:
$car = 'bmw';
$bike = 'suzuki';
$year = 2004;
...
$dbh->exec('INSERT INTO table (table_id, car, bike, date) VALUES (1, '. $dbh->quote($car) .', '. $dbh->quote($bike) .', '. $dbh->quote($year) .')');
But this is so inconvenient that you'll end up using
$dbh->prepare('INSERT INTO table (table_id, car, bike, date) VALUES (1, :car, :bike, :year)')
->execute(array(':car' => $car, ':bike' => $bike, ':year' => $year));
instead.
Don't use a PDOStatement
just use the PDO connection object directly.
$conn = new PDO("....");
$result = $conn->exec("INSERT INTO table (table_id, car, bike, date) VALUES (1, bmw, suzuki, 2004)");
or
$result = $conn->query("SELECT * FROM table");
http://www.php.net/manual/en/pdo.query.php
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With