Are Dynamic Prepared Statements Bad? (with php + mysqli)
Tag : php , By : Frank Bradley
Date : March 29 2020, 07:55 AM
This might help you I like the flexibility of Dynamic SQL and I like the security + improved performance of Prepared Statements. So what I really want is Dynamic Prepared Statements, which is troublesome to make because bind_param and bind_result accept "fixed" number of arguments. So I made use of an eval() statement to get around this problem. But I get the feeling this is a bad idea. Here's example code of what I mean , I think it is dangerous to use eval() here. Try this: call_user_func_array(array($stmt, 'bind_param'), array($types)+$param);
|
Working with dynamic prepared statements in PDO
Date : March 29 2020, 07:55 AM
wish help you to fix your issue I'd create separate (protected) functions, those return a prepared statement that only needs to be executed. /**
* @returns PDOStatement
*/
protected function prepareStatementForCase1(PDO $dbObject,Object $dataToBind){...}
/**
* @returns PDOStatement
*/
protected function prepareStatementForCase2(PDO $dbObject,Object $dataToBind){...}
class Document{
protected $dbObject;
public function __construct(PDO $dbObject){
$this->dbObject=$dbObject;
}
public function doQuery($paramOne,$paramTwo,...){
$logicalFormulaOne=...; // logical expression here with parameters
$logicalFormulaTwo=...; // logical expression here with parameters
if($logicalForumlaOne){
$dbStatement=$this->prepareStatementForCase1($dataToBind);
}else if($logicalFormuleTwo){
$dbStatement=$this->prepareStatementForCase2($dataToBind);
}
$dbResult=$dbStatement->execute();
}
protected function prepareStatementForCase1(Object $dataToBind){
$dbStatement=$this->dbObject->prepare("query string");
$dbStatement->bindParam(...);
return $dbStatement;
}
}
|
Prepared Statements with dynamic WHERE clause
Date : March 29 2020, 07:55 AM
seems to work fine For a prepared statement with a WHERE clause you have to specify what values will be specified later, for instance: SELECT * FROM table WHERE ID=?
function query($query, $param, $where)
{
$query = $mysql->prepare($query);
$query->bind_param($param, $where);
$query->execute();
...
}
$results=query("SELECT * FROM table WHERE Id=?","s","1");
class query
{
public $query;
public $param;
public $where;
}
$query=new query();
$query->query="SELECT * FROM Table WHERE group=? AND name like ?";
$query->param="ss";
$query->where = array();
$query->where[]="administrators";
$query->where[]="sam";
function SQLCall(query $query)
{
$db = $mysql->prepare($query->query);
call_user_func_array(array(&$db, 'bind_param'), $where)
$db->execute();
...
}
|
How can I tell JPA to use prepared statements (or dynamic sql)?
Tag : jpa , By : rhinojosa
Date : March 29 2020, 07:55 AM
it should still fix some issue I concur with Michele in that generally prepared statements are used by the underlying JPA provider/implementer. To assure that your statements are prepared and results cached (should you desire this) using standard JPA please see my response here: How to use PreparedStatement efficiently?
|
What are prepared statements? How are they different from dynamic sql?
Date : March 29 2020, 07:55 AM
|
Boards Message :
Related QUESTIONS :