Complex sql queries without SQL injections

jenstornell · September 23, 2016, 11:27am

This is a fully working SQL query.

INSERT INTO products
	(id, company, title)
VALUES
	(
		'1',
		'company1',
		'title1'
	),
	(
		'2',
		'company2',
		'title2'
	)
ON DUPLICATE KEY UPDATE
	id = VALUES(id),
	company = VALUES(company),
	title = VALUES(title)

When just dumping it in like this is probably very insecure.

db::query($sql);

Is it possible to do this without db::query?
Should I add the values as the second or third argument? The docs says bindings as second argument and params as third argument. I could not find an example of it.

I guess this one is for you @lukasbestle.

lukasbestle · September 23, 2016, 12:14pm

That should be something like this:

$result = db::table('products')->insert([
  ['id' => '1', 'company' => 'company1', 'title' => 'title1'],
  // ...
]);

LCD344 · September 23, 2016, 12:41pm

Not completely related - but if you are starting to use complex mysql for projects, and feel like going to something that is outside of kirby - I reccomend the Illuminate Database - its probably (definitely heavier) but I haven’t found anything it can’t do well so far… and it has good documentation

Topic		Replies	Views
Cannot insert nor update row in database Solved ✅	3	414	June 10, 2020
Problem with insert in SQlite database Questions 🤔	15	2586	August 24, 2016
Fun with databases: struggeling with Database, $database, DB:: and weird values on insert Kirby 3	6	415	March 17, 2021
Find, or insert new in DB Solved ✅	14	1796	July 12, 2016
Inserting in database with $page->createChild() is slow Questions 🤔	3	334	August 4, 2020

Complex sql queries without SQL injections

Related Topics