Hi Joel- I think what you propose for an integer value would work fine. The problem comes when you work with strings. SQL injection follows specific rules (i.e. "; delete from users; --"). Since it usually relies on ending the previous statement, injecting a new statement, and then commenting the rest of the query, the fear would be that a simple string concatenation, regardless of whether it is fully quoted, would not be sufficient.
Check this script out: https://github.com/doctrine/orientdb-odm/blob/master/src/Doctrine/OrientDB/Query/Query.php And its tests are here: https://github.com/doctrine/orientdb-odm/blob/master/test/Doctrine/OrientDB/Query/QueryTest.php I use that for most of my query generation, and have also written a few custom tokens for that parser for functions that don't yet exist in the canned code (for example lucene geo index search). As Luca suggested, some brave soul needs to update the Doctrine library to incorporate the new PHP binary protocol that was released recently. This will presumably speed up the PHP driver, while still maintaining the legacy query building functions in the Doctrine library. There is an older PHP binary protocol included with Doctrine already, but it was pretty barebones and I haven't ever used it personally. In any case, that library should have most of the query building functions you need, certainly enough to add a simple where statement to your query. If you want some example code of how to use the Doctrine query builder, let me know. The Doctrine library also provides an ORM (Object Relational Mapper), but I have never used those features. I prefer to use the query generator by itself, and issue commands with the php database binding's query and command functions. On Fri, May 15, 2015 at 12:22 AM, Joel Spriggs <[email protected]> wrote: > I just started some work on a side project for a PHP project in Orient. > I'm mostly used to using Orient in the Java API and the REST interface via > javascript, but have a lot of experience in PHP. I was hoping the php > driver would be able to do a prepared statement kind of query like I get in > the Java API, but it's not there. > > Would you advise just using sprintf for query string building as a > workaround? I'm looking at it in the context that I'm always paranoid > about sql injection and don't want to do something like "Select from Person > where age > $age" in php. The best thing I could think of right away was > just writing it as: > > $query = sprintf("select from Person where age > %d", $age); > > But I wanted to see if that's really the preferred method to do that or if > there was another way of doing it. > > > > On Tuesday, December 30, 2014 at 2:24:52 PM UTC-5, Lvc@ wrote: >> >> Hi guys, >> Domenico (@ostico) didn't get any rest for Christmas and after the Python >> Driver, he've just published the new PHP Driver for OrientDB aligned with a >> recent version of binary protocol, plus a nice API. >> >> Since @ostico is super active and both PHP and Python drivers are well >> maintained, we decided, according with the author, to adopt both of them >> under the Orient Technologies umbrella: >> >> - *PHP Driver*: https://github.com/orientechnologies/PhpOrient >> - *Python Driver*: https://github.com/orientechnologies/pyorient >> >> For all the users bound with the Anton's driver ( >> https://github.com/AntonTerekhov/OrientDB-PHP) I suggest to migrate to >> this new driver to use last versions of OrientDB. >> >> The updated list of drivers is on this page: >> >> >> http://www.orientechnologies.com/docs/last/orientdb.wiki/Programming-Language-Bindings.html >> >> Thanks Domenico from the whole community! >> Lvc@ >> >> -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "OrientDB" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/orient-database/v8kYNrS8sp4/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "OrientDB" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
