Page 2 of 2
Re: How to modify Temp table data for reporting
Posted: Mon Mar 08, 2021 1:25 pm
by apmuthu
Instead of just single quotes (which must encapsulate the string unless leveraging PDO placeholders), first pass the string through mysqli_real_escape_string() function. This will take care of all escaping and sql injection issues.
Thanks. Very nice explanation. A final drop temporary table after generating the report....
Re: How to modify Temp table data for reporting
Posted: Mon Mar 08, 2021 6:28 pm
by icoso
apmuthu wrote:Instead of just single quotes (which must encapsulate the string unless leveraging PDO placeholders), first pass the string through mysqli_real_escape_string() function. This will take care of all escaping and sql injection issues.
Thanks. Very nice explanation. A final drop temporary table after generating the report....
Apmuthu, If my SQL SELECT statement only has the date fields as user entry fields, for this report, and my UPDATE statement is generated using only the data that my original Select statement generated, should I still have to use mysqli_real_escape_string() function? Are you suggesting that I use this on the two date fields that are user entered?
How would I do that? Or what I should I do with those date fields?
Also according to Kev1n nuBuilder automatically drops the temporary tables. I've verified this by using my CPAnel myPHPAdmin. The only time temp tables are left in the database, is if my php functions fail for some reason AFTER the nuRunQuery() to create the temporary table.
Re: How to modify Temp table data for reporting
Posted: Wed Mar 10, 2021 4:00 pm
by apmuthu
In the script that uses the date field values you can use the mysqli_real_escape_string() function. All user input must be washed for preventing SQL injection.
Re: How to modify Temp table data for reporting
Posted: Wed Mar 10, 2021 4:04 pm
by kev1n
Re: How to modify Temp table data for reporting
Posted: Wed Mar 10, 2021 4:11 pm
by apmuthu
Then use placeholders in PDO template.