I'm trying to prevent my query from being injected with SQL injection by using a prepared statement. but how to implement prepared statement into array_push()? here I use array push for custom search purposes.
Here is the code snippet that I have now.
public function getDataTable(Request $req) {
$start = $req->start;
$length = $req->length;
$draw = $req->draw;
$order = $req->order;
$type = '';
$where = $this->storeParams($req);
$data = $this->getData($where, $start, $length, $order, $type);
.
.
.
.
$output = [
'draw' => (int) $draw,
'recordsTotal' => $total,
'recordsFiltered' => $filtered,
'data' => $data,
];
return json_encode($output);
}
public function storeParams(Request $req) {
$param = [];
$start_date = date('Y-m-d');
$end_date = date('Y-m-d');
if (!empty($req->studentid)) {
array_push($param, 'studentid LIKE \'' . $req->studentid . '\'');
}
if (!empty($req->studentnm)) {
array_push($param, 'studentnm LIKE \'' . $req->studentnm . '%\'');
}
if (!empty($start_date) && !empty($end_date)) {
array_push($param, "entrydate between '" . $start_date . "' and '" . $end_date . "'");
}
if (count($param) > 0) {
$where = implode(' and ', $param);
} else {
$where = "1";
}
return $where;
}
public function getData($where, $start = null, $length = null, $order = null, $type = null) {
.
.
.
.
$dataSet = DB::connection('mysql5')->table('tbl_datastudent')
->selectRaw("studentid, stuidentnm, address, entrydate, payment, paymentdate")
->whereRaw($where);
.
.
.
.
}
how do i apply the prepared statement into the storeParams() function? anybody can guide or help me?
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire