0

I need to store the following query text ($triggerTachoAdresa) in a database. But it is perceived as part of the query. How to achieve that it is stored in the text column in the same way unchanged? I am using PDO.

        $triggerTachoAdresa = "CREATE TRIGGER `TachoAdresa_{$cisloJednotky}` BEFORE INSERT ON `gps_{$cisloJednotky}`
 FOR EACH ROW BEGIN
DECLARE iLastTacho BIGINT(12) DEFAULT 0;
DECLARE iLastKm BIGINT(12) DEFAULT 0;

SELECT VZDALENOST, IF (TACHOMETR IS NULL, 0, TACHOMETR) as TACHOMETR into iLastKM, iLastTacho FROM  gps_{$cisloJednotky} ORDER BY DATUM_CAS DESC LIMIT 1;
IF iLastTacho = 0 THEN
SET NEW.TACHOMETR = NEW.VZDALENOST;
ELSE
SET NEW.TACHOMETR = iLastTacho + (NEW.VZDALENOST - iLastKM);
END IF;

    SET NEW.ADRESA = DejAdresu(NEW.LAT, NEW.LON, {$cisloJednotky});
END";
Adam
  • 11
  • 3
  • How are you trying to store it? A string is a string, regardless of what's in it. It sounds like whatever code you're using to actually interact with the database may be wrong. – David Apr 25 '20 at 20:19
  • $GLOBALS['pdo']->exec("INSERT INTO `aaa_test` (`SQL_TEXT`) VALUES('$triggerTachoAdresa')"); – Adam Apr 25 '20 at 20:22
  • The problem isn't the string, the problem is that your SQL injection vulnerability is treating it like code. Take a look here: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – David Apr 25 '20 at 20:23
  • Thank you, so if I use the PDO prepare function, this should be resolved. – Adam Apr 25 '20 at 20:24
  • Correct. Always treat values as values, not as executable code. – David Apr 25 '20 at 20:26
  • Thank you very much – Adam Apr 25 '20 at 20:38

0 Answers0