mercredi 11 janvier 2023

How to implement prepared statement in array_push()

I'm trying to prevent my query from being injected with SQL injection by using a prepared statement. but how to implement prepared statement into array_push()? here I use array push for custom search purposes.

Here is the code snippet that I have now.

public function getDataTable(Request $req) {
    $start = $req->start;
    $length = $req->length;
    $draw = $req->draw;
    $order = $req->order;
    $type = '';
    $where = $this->storeParams($req);
    
    $data = $this->getData($where, $start, $length, $order, $type);
    
    .
    .
    .
    .

    $output = [
        'draw' => (int) $draw,
        'recordsTotal' => $total,
        'recordsFiltered' => $filtered,
        'data' => $data,
    ];
    return json_encode($output);
}

public function storeParams(Request $req) {
    $param = [];

    $start_date = date('Y-m-d');
    $end_date = date('Y-m-d');

    if (!empty($req->studentid)) {
        array_push($param, 'studentid LIKE \'' . $req->studentid . '\'');
    }

    if (!empty($req->studentnm)) {
        array_push($param, 'studentnm LIKE \'' . $req->studentnm . '%\'');
    }

    if (!empty($start_date) && !empty($end_date)) {
        array_push($param, "entrydate between '" . $start_date . "' and '" . $end_date . "'");
    }

    if (count($param) > 0) {
        $where = implode(' and ', $param);
    } else {
        $where = "1";
    }
    return $where;
}

public function getData($where, $start = null, $length = null, $order = null, $type = null) {
    .
    .
    .
    .
    $dataSet = DB::connection('mysql5')->table('tbl_datastudent')
        ->selectRaw("studentid, stuidentnm, address, entrydate, payment, paymentdate")
        ->whereRaw($where);
    .
    .
    .
    .
}

how do i apply the prepared statement into the storeParams() function? anybody can guide or help me?



via Chebli Mohamed

Aucun commentaire:

Enregistrer un commentaire