[RawSQL] Cannot bind string has `/` character to find in DB

Question

[RawSQL] Cannot bind string has `/` character to find in DB

Envy Aug '17

Created Aug '17	Last Reply Aug '17	Replies 3	Views 371	Votes 0

Envy 6.0k

Aug '17

I have table urlTable contain url like this:

id    url
1     abc.com/zyx.html
2     abc.com/xyz123.html

To find one of them, i use the RawSQL:

$url = 'abc.com/zyx.html';
$sql    = "SELECT id FROM urlTable WHERE url = ':url'";
$result = \Phalcon\DI::getDefault()->getDb()->fetchAll($sql, \Phalcon\Db::FETCH_ASSOC, ['url' => $url]);

But result is empty. SQL log is:

SELECT id FROM urlTable WHERE url = ':url' [{"url":"abc.com\/zyx.html"}]

So, phalcon has escaped the / character to \/.

I have what I need when I use:

$url = 'abc.com/zyx.html';
$sql    = "SELECT id FROM urlTable WHERE url = '$url'";
$result = \Phalcon\DI::getDefault()->getDb()->fetchAll($sql, \Phalcon\Db::FETCH_ASSOC);

SQL log is:

SELECT id FROM urlTable WHERE url = 'abc.com\/zyx.html'

What is wrong when I use the first way to avoid SQL injection?

Envy
6.0k

Accepted
answer

in reply to

Emilio Degiovanni

edited Aug '17
Aug '17

Thank so much, @Degiovanni.

However, I found out the problem is the single quote, not the colon. With rawsql, we just need one colon and in this case, we don't need single quote.

$sql = "SELECT id FROM urlTable WHERE url = :url";

Emilio Degiovanni · Answer 1 · 2017-08-14T11:26:38-07:00

Hi @Envy the problem is the bind parameter :url: doble colon

$sql = "SELECT id FROM urlTable WHERE url = :url:";

Good luck

xaero · Answer 2 · 2017-08-16T02:47:58-07:00

What's the different between one colon and double? Is it the function of PHP PDO or phalcon binding parameters?

Lajos Bencz · Answer 3 · 2017-08-16T04:31:32-07:00

Single colons :param are used by PDO (db->execute())

Double colons :param: are used by PhalconQL (modelsManager->createQuery())