I'm not having an issue with storing the data via PDO(",,,") but am getting an error to receive/output the data using the following snippet.
public static function getList( $numRows=1000000, $order="publicationDate DESC" ) {
$conn = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
$sql = "SELECT SQL_CALC_FOUND_ROWS *, UNIX_TIMESTAMP(publicationDate) AS publicationDate FROM articles
ORDER BY " . mysql_escape_string($order) . " LIMIT :numRows";
$st = $conn->prepare( $sql );
$st->bindValue( ":numRows", $numRows, PDO::PARAM_INT );
$st->execute();
$list = array();
while ( $row = $st->fetch() ) {
$article = new Article( $row );
$list[] = $article;
}
// Now get the total number of articles that matched the criteria
$sql = "SELECT FOUND_ROWS() AS totalRows";
$totalRows = $conn->query( $sql )->fetch();
$conn = null;
return ( array ( "results" => $list, "totalRows" => $totalRows[0] ));
}
I'm recieving the following error when using mysql_escape_string() -
Deprecated: mysql_escape_string(): This function is deprecated; use mysql_real_escape_string() instead. in C:\document.php on line 41
When I change it to mysql_real_escape_string() I receive the following errors -
Deprecated: mysql_real_escape_string(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in C:\document.php on line 41
Warning: mysql_real_escape_string(): Access denied for user ''@'localhost' (using password: NO) in C:\document.php on line 41
Warning: mysql_real_escape_string(): A link to the server could not be established in C:\document.php on line 41
You're using PDO, so don't use anything that's part of the antiquated mysql_query library, and that includes mysql_real_escape_string.
You can't just inject arbitrary ORDER BY criteria, you'll have to be really careful here. If it's a column you're sorting on, run it through a white-list of known-good columns and insert that text only. You don't want people supplying their own arbitrary columns to sort on, especially if they're not in the database.
Remember, escaping column names uses a totally different method than escaping MySQL data strings.