Re: [sqlite] UPDATE database using parameters

Fri, 21 Jul 2017 06:51:55 -0700 

Using a straight PHP-level substitution like that performs the substitution 
before the SQL parser sees it. It’s also super dangerous if you’re not 
absolutely sure there’s no path for an untrusted agent to inject the name 
you’re selecting on.

https://xkcd.com/327/

On 7/21/17, 3:42 AM, "sqlite-users on behalf of Edmondo Borasio" 
<sqlite-users-boun...@mailinglists.sqlite.org on behalf of 
edmondobora...@gmail.com> wrote:

    Hi and thanks for your email.
    
    I am using PHP with SQLite on an Apache server.
    That statement was taken from some advice I got from a forum.  I wasn't
    aware it was MySQL.
    I am new to SQLite and this is my first database.
    
    *"Table/column names cannot use parameters.  You have to put it directly*
    *into the string:"*
    
    I guess however there must be a way, because for example with SELECT it
    works.
    The query below works perfectly using variables:
    
        $results = $db->query("SELECT \"$DbItemName\" FROM Anagrafica WHERE
    hID=\"$hId\"")->fetchArray();
    
    Cheers
    
    Edmondo
    
    
    On Fri, 21 Jul 2017 at 12:24, Clemens Ladisch <clem...@ladisch.de> wrote:
    
    > Edmondo Borasio wrote:
    > >     $stmt->bind_param($p_name,$bind_value);
    >
    > This looks like PHP's MySQL driver.  Which DB are you actually using?
    >
    > Anyway, I recommend you start with the examples from the manual, e.g.,
    > <http://php.net/manual/en/sqlite3stmt.bindvalue.php>:
    >
    >   $stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
    >   $stmt->bindValue(':id', 1, SQLITE3_INTEGER);
    >   $result = $stmt->execute();
    >
    > > I would also need to take the parameter "name" of "SET name" from a
    > variable
    >
    > Table/column names cannot use parameters.  You have to put it directly
    > into the string:
    >
    >   $sql = "UPDATE Anagrafica SET ".$col." = ..."
    >
    >
    > Regards,
    > Clemens
    > _______________________________________________
    > sqlite-users mailing list
    > sqlite-users@mailinglists.sqlite.org
    > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
    >
    _______________________________________________
    sqlite-users mailing list
    sqlite-users@mailinglists.sqlite.org
    http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
    

_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to