Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Running queries in PDO without binding

Tags:

php

Can you run queries in PDO without preparing them? I am aware of the SQL-Injection issues that can arise with this but I am in a test environment.

I want to be able to write pure MySQL queries and just execute them, not have to prepare the query, bind the placeholders etc...

I would like to be able to execute a query like the following instantly.

INSERT INTO table (table_id, car, bike, date) VALUES (1, 'bmw', 'suzuki', 2004)

I seem to be getting errors running execute() directly on this query.

Thanks in advance.

like image 372
cecilli0n Avatar asked Apr 24 '14 12:04

cecilli0n


People also ask

What function do you use to run a query using a PDO object?

PDO::query() prepares and executes an SQL statement in a single function call, returning the statement as a PDOStatement object.

How do I SELECT a query in PDO?

SELECT query without parameters If there are no variables going to be used in the query, we can use a conventional query() method instead of prepare and execute. $stmt = $pdo->query("SELECT * FROM users"); This will give us an $stmt object that can be used to fetch the actual rows.

Does PDO prevent SQL injection?

The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks.

Which PDO method is used to prepare a statement for execution?

Description ¶ Prepares an SQL statement to be executed by the PDOStatement::execute() method. The statement template can contain zero or more named (:name) or question mark (?) parameter markers for which real values will be substituted when the statement is executed.

What is query () function in PDO?

PDO::query () prepares and executes an SQL statement in a single function call, returning the statement as a PDOStatement object.

How do I execute a statement in the PDO?

Use the PDO::exec method to execute a statement that returns no result set. Use the PDO::query method to execute a statement that returns one or more result sets. Important: To avoid the security threat of SQL injection attacks, use the PDO::exec or PDO::query method only to execute SQL statements composed of static strings.

What is parameter binding in PDO?

If you were using PDO, it would be very simple. Just a few parameters in the main configuration file would need changing, and you’d be done. Parameter binding is a feature that allows you to replace placeholders in your query with the value of a variable. It means: You don’t have to know, at runtime, how many placeholders you will have.

How to bind output parameters in MySQL to PDO?

"MySQL doesn't supporting binding output parameters via its C API. You must use SQL level variables:" So the 'workaround' for Mysql and PDO is to use two SQL calls. Hope this helps someone.


2 Answers

The idea of prepared statements is not primarily that you can bind parameters, but that you can reuse the compiled statement multiple times, which should increase efficiency.

The prepare-execute workflow isn't too inconvenient for one-off use cases, but PDO offers other methods as well:

  • exec executes a statement and returns the number of affected rows. It is useful for initialization stuff, but not for SELECTs.
  • query is useful for static queries that don't involve untrusted input. It is similar to prepare-execute, but does not allow parameters, and does not allow the reuse of the compiled query.

Due to these limitations, they should generally only be used on static queries (i.e. the query is a plain string and not constructed from concatenations with variables).

You can safely escape user input with the quote method, so you could do something like

// untrusted data:
$car = 'bmw';
$bike = 'suzuki';
$year = 2004;
...
$dbh->exec('INSERT INTO table (table_id, car, bike, date) VALUES (1, '. $dbh->quote($car) .', '. $dbh->quote($bike) .', '. $dbh->quote($year) .')');

But this is so inconvenient that you'll end up using

$dbh->prepare('INSERT INTO table (table_id, car, bike, date) VALUES (1, :car, :bike, :year)')
    ->execute(array(':car' => $car, ':bike' => $bike, ':year' => $year));

instead.

like image 108
amon Avatar answered Oct 11 '22 18:10

amon


Don't use a PDOStatement just use the PDO connection object directly.

$conn = new PDO("....");
$result = $conn->exec("INSERT INTO table (table_id, car, bike, date) VALUES (1, bmw, suzuki, 2004)");

or

$result = $conn->query("SELECT * FROM table");

http://www.php.net/manual/en/pdo.query.php

like image 35
Reactgular Avatar answered Oct 11 '22 18:10

Reactgular