Method 1:
$stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id');
$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
Method 2:
$stmt = $db->prepare('SELECT name FROM users WHERE id = :id');
$stmt->execute(array(':id' => $_POST['myform-userid'])); // Any vulnerability here?
$row = $stmt->fetch(PDO::FETCH_ASSOC);
Does Method 1 have any signification advantages over Method 2? I know that bindParam is helpful when you need to run the query again with different value for the parameter and you can also specify the data type. But are there any strong reasons to rewrite my Method 2 to Method 1? There may be lots of places where such queries may be scattered so was wondering if it is worth the trouble. Thanks
Related
I'm using extbase in my extension and so I have *Repository classes where I can do simple queries just like:
public function getRecordsByCondition($config = [],$recordPages = null) {
$recordQuery = $this->createQuery();
$constraints = [];
if ($config['field1']) {
$constraints[] = $recordQuery->equals('field1',$config['field1']));
}
if ($config['field2']) {
$constraints[] = $recordQuery->equals('field2',$config['field2']));
}
if ($config['field3']) {
$constraints[] = $recordQuery->equals('field3',$config['field3']));
}
if (count($constraints)) {
if ($recordPages) {
$constraints[] = $recordQuery->in('pid',$recordPages);
$recordQuery->getQuerySettings()->setRespectStoragePage(false);
}
$recordQuery->matching($recordQuery->logicalAnd($constraints));
} else {
return false;
}
return $recordQuery->execute();
}
this will respect enableFields and other usual conditions.
on the other hand there is the option to do it in this way:
public function getrecords2($config,$recordPages) {
$queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
->getQueryBuilderForTable('tx_myext_domain_model_records');
$rawquery = $queryBuilder
->select('*')
->from('tx_myext_domain_model_records')
->where(
$queryBuilder->expr()->eq('field1',$config['field1']),
$queryBuilder->expr()->eq('field2',$config['field2']),
$queryBuilder->expr()->eq('field3',$config['field3']),
$queryBuilder->expr()->in('pid', $recordPages),
$queryBuilder->expr()->eq('deleted',0),
$queryBuilder->expr()->eq('hidden',0)
// starttime, endtime, language, workspace, ....
);
return $rawquery->execute()->fetchAll();
}
where I need to care about enablefields by myself but have more options to specify the query.
On the first view you can see that there are other methods (eq vs. equals) and these kind of doing queries have no relation. But both work on the same table.
Now I'm at a point where I need to change all my work from first to second variant as I need a query with a join to another table which can't be done with first variant (as far as I know).
Have I missed something or does the first variant needs some enhancements?
Well, I am not sure exactly the difference but let me try to express things in brief as per my knowledge :D
The main difference between both queries is Individual database queries (Typically I call it Extbase query, I'm not sure I am right or not!) and another is Doctrine DBAL Queries
1. Individual database queries
Here, as per the modern approach extension use Domain modeling. So, TYPO3 already enables a secure connection for model (Typically database table) and you can use relational table connection with Extbase function (Select, operational, join etc..) provided by TYPO3 core.
For more: https://docs.typo3.org/m/typo3/book-extbasefluid/master/en-us/6-Persistence/3-implement-individual-database-queries.html
2. Doctrine DBAL
Here, you enable connection manually for the database table using ConnectionPool class. Also, you have more feasibility to establish a relation (or Join you can say!) according to your need.
For more: https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/ApiOverview/Database/Index.html
However, you can use restriction for taking care if hidden delete etc.
$queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)
->getQueryBuilderForTable('tx_myext_domain_model_records');
$queryBuilder->getRestrictions()->removeAll()->add(GeneralUtility::makeInstance(DeletedRestriction::class));
$queryBuilder->getRestrictions()->add(GeneralUtility::makeInstance(HiddenRestriction::class));
$rawquery = $queryBuilder
->select('*')
->from('tx_myext_domain_model_records')
->where(
$queryBuilder->expr()->eq('field1',$config['field1']),
$queryBuilder->expr()->eq('field2',$config['field2']),
$queryBuilder->expr()->eq('field3',$config['field3']),
$queryBuilder->expr()->in('pid', $recordPages)
// starttime, endtime, language, workspace, ....
);
See: https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/ApiOverview/Database/RestrictionBuilder/Index.html
I know this is not a sufficient and 100% correct answer. Everyone can welcome to correct me :)
where I need to care about enablefields by myself
That's not true. By default there are Restrictions active and you can enable or disable every Restriction with a short command.
I use both approaches, but I use the first one only on Extbase extensions, the second one on every other extension. (Yes, there exist extensions without Extbase)
I have been looking at the mailchimp api, and am wondering how to display the live ammount of subscribers to a list, is this possible? And is it possible to have this counter LIVE? I.e as users join, the number increases in real time?
EDIT:
I have been getting used to the API slightly...
after using Drewm's mailchimp php wrapper its starting to make more sense...
I have so far
// This is to tell WordPress our file requires Drewm/MailChimp.php.
require_once( 'src/Drewm/MailChimp.php' );
// This is for namespacing since Drew used that.
use \Drewm;
// Your Mailchimp API Key
$api = 'APIKEY';
$id = 'LISTID';
// Initializing the $MailChimp object
$MailChimp = new \Drewm\MailChimp($api);
$member_info = $MailChimp->call('lists/members', array(
'apikey' => $api,
'id' => $id // your mailchimp list id here
)
);
But not sure how to display these values, it's currently just saying 'array' when I echo $member_info, this maybe completly because of my ignorance in PHP. Any advice to s
I know this may be old, but maybe this will help someone else looking for this. Latest versions of API and PHP Files.
use \DrewM\MailChimp\MailChimp;
$MailChimp = new MailChimp($api_key);
$data = $MailChimp->get('lists');
print_r($data);// view output
$total_members = $data['lists'][0]['stats']['member_count'];
$list_id = $data['lists'][0]['id'];
$data['lists'][0] = First list. If you have more, then it would be like $data['lists'][1] ect...
And to get a list of members from a list:
$data = $MailChimp->get("lists/$list_id/members");
print_r($data['members']);// view output
foreach($data['members'] as $member){
$email = $member['email_address'];
$added = date('Y/m/d',strtotime($member['timestamp_opt']));
// I use reverse dates for sorting in a *datatable* so it properly sorts by date
}
You can view the print_r output to get what you want to get.
Is there any way to make a ZF2 database adapter return column values in the appropriate data type, or does it always return data as strings?
Something like this (where $statement is a Zend\Db\Adapter\Driver\Pdo\Statement):
$rows = $statement->execute();
foreach ($rows as $row) {
$price = $row['price'];
}
$price is always a string, even though price is defined to be a float in the database.
Also, even if the answer is that MySQL/PostgreSQL/SQLite database adapters always return strings, would the answer be different for a different kind of database adapter?
i am using kohana ORM in order to get some results from the database. My problem is: even though i have consulted the documentation, i can't find a way to select only the column i am interested in. To be more explicit, i have:
$sale_stock = Model::factory('product_type')
->where('product_type_id','=', $id )
-> find_all();
var dumping it, it selects me all the "SELECT product_type.* from product_type where etc".
But i want to select only the 'stock' field from the salestock table. doing find('stock') instead find_all() returns a weired object... Where am i wrong, and how can i actually select only the column 'stock' using kohana orm?
thank you!
ORM methods find() and find_all() always select all table columns, so there is two ways to get specified fields:
Load full table rows and get columns
from it:
$sale_stock = Model::factory('product_type')
->where('product_type_id','=', $id )
-> find_all();
// get array of id=>stock values
$columns = $sale_stock->as_array('id', 'stock');
Create special method in model using
Query Builder:
// model Model_Product_Type
public function get_stocks($product_type_id)
{
return DB::select(array('stock'))
->from($this->_table_name)
->where('product_type_id', '=', $product_type_id)
->execute($this->_db);
}
I realise this isn't exactly what you're looking for, but I've pulled the following from the Kohana documentation ...
$articles = ORM::factory('article')->select_list('id', 'title');
foreach ($articles as $id => $title)
{
// Display a list of links
echo html::anchor('articles/'.$id, $title);
}
// Display a dropdown list
echo form::dropdown('articles', $articles);
You could think of it as a discount, two fields for the price of one.
It's common practice for ORMs to return a 'non-standard' object when partial model or merged model fields are requested. This prevents confusing operations using the original object (ie. how do you save an object when it contains only 2 of 8 fields, plus maybe some fields from another model?).
If you print_r the object, and give me an indication of how that looks ... it might be just what you want.
I know this is an old question, but i found maybe easier solution:
$sale_stock = ORM::factory('product_type')
->where( 'product_type_id','=', $id )
->find_all();
die($sale_stock->stock);
i want to fetch information from the database using objects.
i really like this approach cause this is more OOP:
$user = Doctrine_Core::getTable('User')->find(1);
echo $user->Email['address'];
echo $user->Phonenumbers[0]->phonenumber;
rather than:
$q = Doctrine_Query::create()
->from('User u')
->leftJoin('u.Email e')
->leftJoin('u.Phonenumbers p')
->where('u.id = ?', 1);
$user = $q->fetchOne();
echo $user->Email['address'];
echo $user->Phonenumbers[0]['phonenumber'];
the problem is that the first one uses 3 queries (3 different tables), while the second one uses only 1 (and is therefore recommended technique).
but i feel that it destroys the object oriented design. cause ORM is meant to give us an OOP approach so that we could focus on objects and not the relational database. but now they want us to go back to use SQL like pattern.
there isn't a way to get information form multiple tables not using DQL?
the above examples are taken from the documentation:
doctrine
Create a custom method in your Table class that will return proper data:
class UserTable extends Doctrine_Table {
public function retrieveOne($id) {
return $this->createQuery('u')
->leftJoin('u.Email')
->leftJouin('u.Phonenumbers p')
->where('u.id = ?', $id)
->fetchOne();
}
}
Your final code:
$user = Doctrine::getTable('User')->retrieveOne(1);
echo $user['Phonenumbers'][0]['phonenumber'];