Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 4 of 4 total
Thread PDO ODBC Parameters Not Returning
Sun, May 22 2016 1:35 PMPermanent Link

Charles Collinson

Having to ODBC into an old DBISAM 3.30 database with PHP using the ODBC driver and currently trying PDO, however I've tried with the normal ODBC system with the same issue. Basically wanting to use parameters to limit SQL injection but for the life of me I can't get any records to return:

$d1 = "Admin";
$query = 'SELECT ALL * FROM Password WHERE User=?';
$stmt = $db->prepare($query);
$stmt->bindParam("1",$d1);
$stmt->execute();
$result = $stmt->fetchAll();
$count = $stmt->rowCount();
print("Records: $count rows.\n");

I get no results and the count comes back as 0. I've tried bindparam as integer, a :xyz variable. The connection works, as does the PDO system. If I replace the query with a simple select from table with no where I get all results, as I do if I hardcode the where, so the issue is in the Parameter system.

Can the DBISAM 3.30 ODBC work with parameters when querying?

TIA

Charles
Tue, May 24 2016 11:07 AMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Charles,

Having to ODBC into an old DBISAM 3.30 database with PHP using the ODBC driver and currently trying PDO, however I've tried with the normal ODBC system with the same issue. Basically wanting to use parameters to limit SQL injection but for the life of me I can't get any records to return: >>

What happens if you pass a length for the string variable (you'll also need to explicitly set the PDO::PARAM_STR parameter to the bindParam call) ?

Tim Young
Elevate Software
www.elevatesoft.com
Thu, May 26 2016 10:54 AMPermanent Link

Charles Collinson

Tim Young [Elevate Software] wrote:

<<What happens if you pass a length for the string variable (you'll also need to explicitly set the PDO::PARAM_STR parameter to the bindParam call) ?>>

Makes no difference.

$d1 = "Admin";
$query = "SELECT ALL * FROM Password WHERE User=?";
$stmt = $db->prepare($query);
$stmt->bindParam(1,$d1, PDO::PARAM_STR, 20);
$stmt->execute();
$result = $stmt->fetchAll();
$count = $stmt->rowCount();
print("Records: $count rows.\n");

No records found.

$d1 = "Admin";
$query = 'SELECT ALL * FROM Password WHERE User="Admin"';
$stmt = $db->prepare($query);
$stmt->execute();

This works. As does the below:

$query = "SELECT * FROM Password WHERE User= '" .$d1. "'";
Thu, May 26 2016 1:57 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Charles,

Unfortunately, the 3.30 codebase was frozen over 10 years ago, but if you send me your database files and a sample PHP script that reproduces the problem, I'll see what I can find out and see if there's a workaround.

Tim Young
Elevate Software
www.elevatesoft.com
Image