Versions Compared

Old Version 18

changes.mady.by.user Thomas Stauer

Saved on

compared with

New Version 19

changes.mady.by.user Marcus Gnaß

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: reformatted SQL
Info

Original source (german) - Posting from xmurrix in Community Forum

 

With CONTENIDO 4.9.0 some core components were refactored. This also affected the class cDb (formerly known as DB_Contenido) and its parent classes. Some code was ported to PHP 5, functions were extended or simply added. This results in much more secure and easier abstraction compared with its predecessor. This article introduces some of the changes that were made.

...

Code Block
languagephp
linenumberstrue
$idlang = 1;
$idart = 2;
$cfg = cRegistry::getConfig();
$db = cRegistry::getDb();

// query(string $statement)
$db->query('SELECT * FROM $sql = '
	SELECT
		*
	FROM
		`' . $cfg['tab']['art_lang'] . '`
	WHERE
		idart = ' . cSecurity::toInteger($idart) . '
		AND idlang = ' . cSecurity::toInteger($idlang) . '
;';

// query(string $statement)
$db->query($sql);

if ($db->nextRecord()) {
    echo $db->f('title');
}

...

Code Block
languagephp
linenumberstrue
// query(string $statement [, mixed $args [, mixed $... ]])
$db->query('SELECT * FROM `%s` WHERE 
$sql = '
	SELECT
		*
	FROM
		`%s`
	WHERE
		idart = %d
		AND idlang = %d
;';
$db->query($sql, $cfg['tab']['art_lang'], $idart, $idlang);

...

Code Block
languagephp
linenumberstrue
// query(string $statement, array $values)
$values$sql = array($cfg['tab']['art_lang'], $idart, $idlang);
$db->query('SELECT * FROM `%s` WHERE 
	SELECT
		*
	FROM
		`%s`
	WHERE
		idart = %d
		AND idlang = %d
;';
$values = array($cfg['tab']['art_lang'], $idart, $idlang);
$db->query($sql, $values);

Compared the the second variant, all values will just be passed together as an array but there is no difference in the behaviour.

...

Code Block
languagephp
linenumberstrue
$values$sql = array('
	SELECT
		*
  '	FROM
		`:table_art_lang' => $cfglang`
	WHERE
		idart = :idart
		AND idlang = :idlang
;';
$values = array(
    'table_art_lang' => $cfg['tab']['art_lang'],
    'idart' => cSecurity::toInteger($idart),
    'idlang' => cSecurity::toInteger($idlang)
);
$db->query('SELECT * FROM `:table_art_lang` WHERE idart = :idart AND idlang = :idlang'$sql, $values);

Using this variant integer valus should be casted cause the format string contains no formatting instruction like %d. Though strings still don't have to be escaped.

...

Code Block
languagephp
linenumberstrue
// string prepare(string $statement [, mixed $args [, mixed $... ]])
$sql = $db->prepare('SELECT * FROM `%s` WHERE idart = %d AND idlang = %d';
$sql = %d'$db->prepare($sql, $cfg['tab']['art_lang'], $idart, $idlang);
$db->query($sql);

...

Code Block
languagephp
linenumberstrue
// string prepare(string $statement, array $values)
$sql = 'SELECT * FROM `%s` WHERE idart = %d AND idlang = %d';
$values = array($cfg['tab']['art_lang'], $idart, $idlang);
$sql = $db->prepare('SELECT * FROM `%s` WHERE idart = %d AND idlang = %d''], $idart, $idlang);
$sql = $db->prepare($sql, $values);
$db->query($sql);

...

Call with exactly two parameters with "named parameters". The first parameter is the SQL statement as in the first variant and, as second parameter, an associative array containing all values that should be used for substitution.

// string prepare(string $statement, array $values)
Code Block
languagephp
linenumberstrue
linenumberstrue
// string prepare(string $statement, array $values)
$sql = 'SELECT * FROM `:table_art_lang` WHERE idart = :idart AND idlang = :idlang';
$values = array(
    'table_art_lang' => $cfg['tab']['art_lang'],
    'idart' => (int) $idart,
    'idlang' => (int) $idlang
);
$sql = $db->prepare('SELECT * FROM `:table_art_lang` WHERE idart = :idart AND idlang = :idlang'$sql, $values);
$db->query($sql);

...