Prepared statements

PHPMaker General Discussion (PHPMaker)
1

Hello,I tend to use prepared statements when reading and writing to databases:Bellow are 2 function using ExecuteQuery and ExecuteRows.
uuid is a url derived parameter getting read as $_GET.
Prepared statments protect me against sql insertions, but with phpmaker function, do I need to escape $uuid with ExecuteQuery and ExecuteRows.

function get_code($uuid){
	$code_type = array();
	$sql = "SELECT shmmitzrach,code FROM `moh_mitzrachim` WHERE uuid='$uuid'"; // define your SQL
	
	//echo $sql;
	
	$stmt = ExecuteQuery($sql); // execute the query
	$displayResult = ""; // initial display result
		if ($stmt->rowCount() > 0) { // check condition: if record count is greater than 0
			while ($row = $stmt->fetch()) { // begin of loop
			array_push($code_type, $row);
			} // end of loop
		}
	return $code_type;
}

function get_code2($uuid){
	$sql = "SELECT shmmitzrach,code FROM `moh_mitzrachim` WHERE uuid='$uuid'"; // define your SQL
	$myRows = ExecuteRows($sql); // execute the query

	if (count($myRows) > 0) {
		// Use prepared statements for INSERT to prevent SQL injection
		foreach ($myRows as $myRow) {
		$shmmitzrach = $myRow['shmmitzrach'];
		echo $shmmitzrach . "<br>";
		}
	}
}

thank you

2

The two global functions just execute SQL, you should use AdjustSql() to escape the value, see https://discourse.hkvstore.com/t/executescalar-sql-best-practice/8272/1 use prepared statements, you may use DBAL connection and it’s methods directly, e.g. Conn()->prepare(“Your SQL”), see Using Prepared Statements.