1

First - my code works and no problem with that, but it is not completely safe. I don't know how to bind my query. I know a bout bindParam / bindValue but i don't have any idea how to use those in my case...

My query consists of part and the parts depends of AJAX post:

if(!empty($_POST['manufacturers']))
$manufacturers = $_POST['manufacturers'];
else
$manufacturers = null;

if(!empty($_POST['processors']))
$processors = $_POST['processors'];
else
$processors = null;

if($manufacturers != null) 
$manufacturers = ' AND manufacturer.slug IN('.$manufacturers.')';

if($processors != null) 
$processors = ' AND processors.slug IN('.$processors.')';

And complete query will be: 

$query = "bla bla my query";
$query = $query.$processors.$manufacturers;

Example query is:

SELECT manufacturer.name AS ManufName,
       model.model_name AS ModelName,
       processors.name ProcName,     
       laptops.resolution,
       inches.name,
       graphic_card.name GraphName,
       laptops.memory_type,
       laptops.memory_size,
       laptops.ram,
       laptops.price,
       laptops.image_path
       FROM manufacturer, model, processors, inches, graphic_card, laptops 
       WHERE manufacturer.id = Laptops.manufacturer_id
       AND model.id = Laptops.model_id 
       AND inches.id = Laptops.inches_id 
       AND processors.id = Laptops.processor_id 
       AND graphic_card.id = Laptops.graphic_card_id
       AND manufacturer.slug 
       IN('Dell','Lenovo')
       AND processors.slug 
       IN('Intel_core_i5','Intel_core_i7')

And from post i get in this case: 'Dell','Lenovo' and secondly i get: 

'Intel_core_i5','Intel_core_i7'

Query changes by every checkbox change from user interface...

So if user checks only checkbo from manufacturers then the query will not be the same if query checks checkboxes from both - manufacturers and processors...

I need to prevent things like this:

$.post('ajaxCallback.php', {manufacturers: 'sleep(15)'});

How to bind this query or how to make this correctly safe?

I appreciate any help and advice!

Thanks a lot!

david strachan
  • 7,174
  • 2
  • 23
  • 33
user2812532
  • 73
  • 2
  • 10
  • So I am not really clear on what you are asking. How to dynamically build a query? I don't see where you are trying to put parameters in your query at all. – Mike Brant Mar 26 '14 at 22:16
  • Query works and it gives right answers but how to bind this query that i can not write like normally ("SELECT * FROM bla WHERE bla2 = :bla3")? Because the query consists of parts that are not always in final query because that filter is not required in query... The whole query will changes with each checkbox change, not just an input... – user2812532 Mar 26 '14 at 22:22
  • You can build the full query (with the binding bit) using the dynamic part and then bind it, but you can't bind a query with an unknown chunk and fill it in later. The binding works by having the query without parameters passed in at bind time so that with parameters its already in place. – Anthony Mar 26 '14 at 22:23
  • 1
    Oh, I noted this question to answer it later and forgot. It seems I never find time though. There are 2 questions in one - how to bind an array into IN clause and how to run conditional queries. Here is the answer for the first http://stackoverflow.com/a/15991146/285587 and here is for second http://stackoverflow.com/a/11231629/285587 – Your Common Sense Mar 27 '14 at 11:33

0 Answers0