0

I am trying to edit some HTML in our database, specificaly, I am trying to edit a class styling from auto; to 100%; the problem is the html sometimes has ' and sometimes " in it. I figured the easiest way would be to use db2_bind_param to safely run a few SQL queries. However, I do not understand how to use the db2_bind_param function in order to run my queries. My code below : 

foreach($as400response as $as){
  //replace the current string with the desired string
            $newAS = str_replace('width: auto;', '100%', htmlentities($as['PARV']));

 //draft the query to be passed to sql
            $fix = "update swind.pimpd set parv='".$newAS."' where sku='".$as[SKU]."' and sprc='".$as[SPRC]."' and flddef='".$as[FLDDEF]."'";

 //prepare the db2_connection/sql query
            $stmt =  db2_prepare($conn, $fix);

 //call db2_bind_param, with $stmt being the preparedstatement, 1 being the position of the variable in the statement as 1-index, $newAS being the variable to be bound
            db2_bind_param($stmt, 1, $newAS);

 //test echo
            echo $fix;

 //execute query
            db2_execute($stmt, array());

 //show errors 
            print_r(db2_stmt_errormsg());
        }

the reponse I am getting back from db2_stmt_errormsg() is : Schlüsselwort OPEN nicht erwartet. Gültige Token: USE SKIP WAIT WITH FETCH LIMIT ORDER WHERE OFFSET. SQLCODE=-199. "OPEN" being the name of the font where the first ' appears in HTML
Am I not calling db2_bind_param properly?
Should the result of db2_bind_param then be passed into the drafted query?
Thank you in advance :)

BoogaBooga
  • 147
  • 10
  • When you use query parameters (and you should always do it to prevent SQL injection) you have to use parameter markers in the query, so `$fix = "update swind.pimpd set parv=? where sku=? and ..."`, and keep db2_bind_param, and add another for sku, but I'm no php developper, [see](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – nfgl Apr 12 '22 at 13:25
  • Ok thanks @nfgl I tried doing it with `set parv=?` and It ended up inserting a `?` which was a good lol, but maybe it has to be be done with all the inserted variables? I'll give it a shot tomorrow and get back to ya – BoogaBooga Apr 12 '22 at 13:42
  • Maybe try to see what [Beispiel #1](https://www.php.net/manual/de/function.db2-bind-param.php) does – nfgl Apr 12 '22 at 13:59
  • @nfgl hey whats up, so I tried doing this `$fix = "update swind.pimpd set parv=? where sku=? and sprc=? and flddef=?";$stmt = db2_prepare($conn, $fix);db2_bind_param($stmt, 1, $newPARV, DB2_PARAM_IN);` (repeated the db2_bind_param() for the other question marks and nothing happens, not even an error message XD I also tried calling `db2_bind_param($stmt, 1, 'newPARV' DB2_PARAM_IN);` rather than the variable itself, and again nothing occured, thought i'd just keep you updated XD – BoogaBooga Apr 13 '22 at 08:25

0 Answers0