too long

I'd like to know how to bind values in where clause. I have understood that is something that MUST be done for security reasons.

$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query
    ->select("*")
    ->from($db->quoteName("food"))
    ->where("taste = :taste")
    ->bind(':taste', 'sweet');
$db->setQuery($query);
$rows = $db->loadAssocList();

I'm getting this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':taste' at line 3 SQL=SELECT * FROM food WHERE taste = :taste

My code is based on this post. It said that in Joomla 3.1 only "PDO/Sqlite and PDO/Oracle are supporting prepared statements", I am using Joomla 3.2.1 and MySQL, and in my Joomla configuration MySQLi. Could be that the problem?

I am quite confused because I dont know what API / Class have to follow.

• JDatabase for Joomla 3.x there is no bind method, and the information is scant, seems like is not completed.
• JDatabase for Joomla 2.5 has more information, but obviously is not my version. there is no bind method.
• JDatabaseQuery for Joomla 3.x there is no bind method
• JDatabaseQuerySqlite for Joomla 3.x has bind method
• JDatabaseQueryPdo for Joomla 3.x there is no bind method
• JTable for Joomla 3.x has bind method

Even I'm starting to doubt if I have to use JFactory::getDbo() to Select/Insert/Update/Delete data in Joomla DB.

Thanks in advance.

As far as I know, you can't use prepared statements nor bind values with Joomla.

If you read the Secure Coding Guideliness from the Joomla documentation (http://docs.joomla.org/Secure_coding_guidelines#Constructing_SQL_queries), they don't talk about prepared statements, only about using casting or quoting to avoid SQL injection.

In Joomla there is normally the check(), bind(), store() triple from JTable that prevents injection.

JDatabaseQueryPreparable has a bind method that you may want to look at. You may also want to look at the docblocks for JDatabaseQueryLimitable.

One thing I would suggest is that when you get that error, usually it is really because you do have a problem in your query (often wrong quoting or something being empty that needs not to be empty. To see your generated query you an use

echo $query->dump();

and then try running it directly in sql.

Also in general it's wise to use $db->quote() and $db->quoteName() if you are using the API that way you won't run into quoting problems. I think you may have a quoting problem but it's hard to know without knowing your field names.