About

How to use prepared statements in Joomla?

Asked 13/3, 2014 at 9:12 Answered 13/3, 2014 at 9:22

O

1

7

How to use Prepare methods in joomla model?
for example in pdo we use :

db->prepare('INSERT INTO tbl (`city`,`date`,`uid`,`title`) VALUES(:city,:date,:uid,:title)');

How can I do it in the Joomla!

Oneness answered 13/3, 2014 at 9:12 Comment(1)

Sadly, there are currently no prepared statements for Joomla. Lodder's answer below uses "the next best thing" to properly quote strings in the query. This is a related answer that speaks on security. – Sosthenna 23/4, 2018 at 3:41

T

7

In Joomla, you always stick to the API which caters for the supported database types, like so:

$db = JFactory::getDbo();

$query = $db->getQuery(true);
$columns = array('city', 'date', 'uid', 'title');
$values = array($db->quote('value1'), $db->quote('value2'), $db->quote('value3'), $db->quote('value4'));

// Prepare the insert query.
$query
    ->insert($db->quoteName('#__tablename')) //make sure you keep #__
    ->columns($db->quoteName($columns))
    ->values(implode(',', $values));

$db->setQuery($query);
$db->query();

and for Joomla 3.x, you can replace $db->query(); with $db->execute();

Update:

As far as I know, Joomla 4 will use prepared statements in core. Here is a something I've mocked up, however have not tested:

    use Joomla\CMS\Factory;
    use Joomla\Database\ParameterType;

    $db = Factory::getDbo();

    // Your data
    $city = $db->quote('London');
    $date = $db->quote('21/01/2020');
    $uid = $db->quote(1234);
    $title = $db->quote('My Title');

    // Prepared query
    $query = $db->getQuery(true)
        ->insert($db->quoteName('#__tablename'))
        ->columns([
            $db->quoteName('city'),
            $db->quoteName('date'),
            $db->quoteName('uid'),
            $db->quoteName('title'),
        ])
        ->values(':city, :date, :uid, :title')
        ->bind(':city', $city, ParameterType::STRING)
        ->bind(':date', $date)
        ->bind(':uid', $uid, ParameterType::INTEGER)
        ->bind(':title', $title, ParameterType::STRING);

    $db->setQuery($query);
    $db->execute();

Tablet answered 13/3, 2014 at 9:22 Comment(11)

And what about if I want to use prepare statements in a query like SELECT * FROM a WHERE group = :group – Caesium 6/6, 2014 at 8:14

@OceanicSix - https://mcmap.net/q/1623131/-joomla-database-methods – Tablet 6/6, 2014 at 8:18

it is not working to me... "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':taste' at line 3 SQL=SELECT * FROM food WHERE taste = :taste". I am using MySQL, might be that the problem? – Caesium 6/6, 2014 at 9:1

If you're having problems with your code, please ask a new question showing your code rather than commenting on here. – Tablet 6/6, 2014 at 9:19

Is this a prepared statement in Joomla? – Official 19/9, 2016 at 9:15

@RNKushwaha No, it is no prepared statement. It uses a regular statement. This syntax does not provide support for prepared statements. Maybe there will be support in the future but not now as far as I know of. – Robinette 15/4, 2019 at 10:14

@Tablet you may like to update this one: joomla.stackexchange.com/a/12120/12352 – Sosthenna 26/9, 2020 at 8:52

Calling quote() is unnecessary on bound values, correct? I don't have a J4 installation to test with. @Lod – Sosthenna 15/3, 2021 at 12:58

@Sosthenna It's always good practice to sanitize values when inserting content into the database. Prepared statements don't 100% prevent SQL injection. – Tablet 15/3, 2021 at 13:24

quote() isn't a value sanitising method. – Sosthenna 15/3, 2021 at 20:40

"Escape" then, you know what I mean – Tablet 16/3, 2021 at 6:51

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.