Welcome, Guest. Register Now!
   
Mark Forums Read Mark Forums Read Mark Forums Read


Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 08-11-2008, 11:44 PM
dele454's Avatar
Member
 
Join Date: Jun 2008
Posts: 48
Default QuoteInto to with multiple parameters

hi

I need to query the database with 2 parameters from a URL :

http://mainevent.com/admin/galleries...d/1/type/venue


Code:
public function getGalleryByIdType($requestType="", $requestID="")
                {
                               if($requestType ="event'){
                               
                                  $db        = Zend_Registry::get('db');
                                   $sql       = $db->quoteInto("SELECT g.GalleryName, e.EventName
                                                   FROM Galleries  g  
                                                   LEFT JOIN EventGallery eg ON eg.GalleryID = g.GalleryID
                                                   LEFT JOIN Event e On e.EventID = eg.EventID
                                                   WHERE g.Type=? AND g.GalleryID=?" , $requestType,$requestID);
                       
                                                                                         
                                  $query     = $db->query($sql);
                               
                                  $results   = $query->fetchAll();
                                 
                                  return $results;
                            }
               
               
                }
It seems the quoteInto function only accepts a single parameter. It returns an empty array with no results. And the function doesnt support supplying parameters as an array of values. I came across this article:

Modifying Zend_Db_Adapter_Abstract::quoteInto to accept multiple question marks at Amikelive | Technology Blog

And this guy recommends modifying the function definition. I just want to know if this is the appropriate route to solving this. Thanks
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 08-12-2008, 01:59 AM
Senior Member
 
Join Date: Jul 2008
Posts: 271
Default

The other option is to use bound parameters by passing the second parameter to query(). So you don't even need quoteInto(). Like this:
Code:
...
$sql       = 'SELECT g.GalleryName, e.EventName
                ...
                WHERE g.Type = :gType AND g.GalleryID = :gGalleryId';
                
                $query     = $db->query($sql, array(
                    'gType' => $gType,
                    'gGalleryId' => $gGalleryId,
                ));
You can have as many bound parameters as you want, unfortunately you can't use the same one multiple times in the query (unless that's changed since last I looked).
__________________
Brenton Alker
PHP Developer - Brisbane, Australia

blog.tekerson.com | twitter.com/tekerson | brenton.mp
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 08-12-2008, 05:24 AM
dele454's Avatar
Member
 
Join Date: Jun 2008
Posts: 48
Default

Quote:
Originally Posted by Tekerson View Post
The other option is to use bound parameters by passing the second parameter to query(). So you don't even need quoteInto(). Like this:
Code:
...
$sql       = 'SELECT g.GalleryName, e.EventName
                ...
                WHERE g.Type = :gType AND g.GalleryID = :gGalleryId';
                
                $query     = $db->query($sql, array(
                    'gType' => $gType,
                    'gGalleryId' => $gGalleryId,
                ));
You can have as many bound parameters as you want, unfortunately you can't use the same one multiple times in the query (unless that's changed since last I looked).
Thanks but then i am not quoting any of those values! Doesnt that open me to sql injection attacks?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 08-12-2008, 06:12 AM
Senior Member
 
Join Date: Jul 2008
Posts: 271
Default

Nope, the bound parameters are inserted by creating a prepared statement and executing it (or a facsimile of, if prepared statements are not available in your database/adapter).
__________________
Brenton Alker
PHP Developer - Brisbane, Australia

blog.tekerson.com | twitter.com/tekerson | brenton.mp

Last edited by Tekerson : 08-12-2008 at 06:13 AM. Reason: Grammar
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 10-30-2008, 09:53 AM
Junior Member
 
Join Date: Jul 2008
Posts: 2
Post re

Tekerson - i have a question related to what you said

PHP Code:
$arr = array('some_id' => (int)$some_id'name' => $name'name2' => $name2);
$this->db->update('table'$arr'id ='.(int)$id); 
I am only doing trim() on $name and $name2, is this query safe? How should i escape the vars? Is Zend_Db doing it automagically?

Thanks!
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 02:31 AM.