Ok, I know that the ssddii stand for String, Decimal, Interger
My question is, I have images being stored in my database and they type âlongbowâ. How would those be handled in the update query and is the VarChar the âstringâ?
For example if I was to use this for my site, the update query would look something like
$stmt = $mysqli->prepare("UPDATE new-equip SET itemName = ?,
model = ?,
serial = ?,
desc = ?,
WHERE itemID = ?");
$stmt->bind_param('ssssi',
$_POST['itemName'];
$_POST['model'],
$_POST['serial'],
$_POST['desc'],
$_POST['itemID']);
$stmt->execute();
$stmt->close();
Basically everything that would normally be enclosed in quotes if it were in the query itself is a âstringâ as far as the âsâ is concerned.
Where ever you got the example code using $_POST in the database call is providing bad examples. You should always validate the $_POST variables and store the validated values into new variables long before they get anywhere near a database call - that is unless you want your database to end up filled with meaningless junk.
I would validate the form before I do anything with the database as felgall has said. Also, Iâm not sure if it matters, but you should stuff the $_POST values into the query like that.
Still wrong - in fact far worse. You should VALIDATE the $_POST variables before copying them to another variable. If you donât then there is NO POINT in copying them - youâd be better off using the $_POST names so that you know they can still contain JUNK/GARBAGE. and that there is no guarantee that they will not result in injection into whatever you are going to use the fields for when you read them back from the database.
No no no. Youâre getting it wrong. I havenât actually attempted to help the OP yet. I just wanted to correct his post. He was stuffing the actual $_POST values inside the query which is a wrong attempt. If you said my attempt to modify OPâs code is far worst, then I donât know how worst is OPâs original code because stuffing actual $_POST values inside queries are far far worst then my attempt.
I couldnât edit my first post so thatâs why I had to post again to clarify what I was trying to show OP. I know that you should validate inputs, Iâm not that slow. Donât think for a minute that Iâm as slow as you think I am. I couldnât edit my post so I had to just re-post what I was trying to get at.
Taking the post value, putting it into a local variable, and putting it into the query is no different than putting the post value directly into the query.
OP: MySQL does not have a type âlongbowâ, so iâd suggest double-checking your field type. If itâs a LONGBLOB, youâll need to send it as blob data, as Jeff pointed out.
Your code is effectively identical to that of the OP except that with theirs it is obvious that the fields passed to the SQL have not been validated whereas you need to read the rest of the code in order to tell that your variables also havenât been validated. With your code there is no way to tell by looking at the code whether the variables are valid or JUNK.
You are converting potentially untainted variable names into tainted ones - by copying the $_POST values to another name you now have no way to tell what variables are valid without actually testing the value again or examining ALL of the code and testing all of the possible paths through it.