0

I have the following PHP code:

$comp1 = $_POST['cohort_id1'];
$comp2 = $_POST['cohort_id2'];
$comp3 = $_POST['cohort_id1'];
$comp4 = $_POST['cohort_id2'];

$dbh = new PDO("mysql:host=$hostname;dbname=$database", $username, $password);

$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$sql = "SELECT cat_code, value, :comp1 , :comp2, round(:comp3/:comp4 * 100) as index_number FROM {$table}";
$stmt = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY) );
$stmt->execute(array(':comp1' => $comp1, ':comp2' => $comp2, ':comp3' => $comp3, ':comp4' => $comp4 ));
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
header('Content-type: application/json');
echo json_encode($result);

Here is how one of the objects is returned:

?: "national_percent"
cat_code: "edu"
index_number: null
value: "Some College"

What I can't understand is why the first line returns with a "?", but more importantly, why the index_number is null. I suspect it is because those values are being converted into strings, but I'm not sure how to handle that.

Improve this question
10
  • To specify the types you bind before execute and do execute() with no params Commented Mar 4, 2015 at 21:05
  • @developerwjk Not sure I follow this, can you give an example? Commented Mar 4, 2015 at 21:06
  • See PDOStatement::bindParam and PDOStatement::bindValue Commented Mar 4, 2015 at 21:07
  • so what are your $comp1 and $comp2 values? do you have such columns in your table?\ Commented Mar 4, 2015 at 21:08
  • Yes. I have these two values as columns in my table. If I run it like this (which is vulnerable to SQL injection), it works fine: $sql = "SELECT cat_code, value, {$comp1},{$comp2}, round({$comp1}/ {$comp2} * 100) as index_number FROM {$table};"; $result = $dbh->query($sql)->fetchAll(PDO::FETCH_ASSOC); Commented Mar 4, 2015 at 21:11

1 Answer 1

Reset to default
1

To prevent SQL injection of user input that contains column names, check the input against an array of valid column names:

$valid_columns = array('col1', 'col2', 'col3');
if (in_array($user_input_col, $valid_columns)) 
{
  $sql = "SELECT {$user_input_col} from table...";
  ...
}
else
{
     die('Invalid column name');
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.