So basically I would like to execute a SQL statement like:
SELECT * FROM flights WHERE departure in ('Tokio','Berlin');
but the official docs don't really show me anything. A similar question on GitHubs Q&A was asked here https://github.com/eveningkid/denodb/discussions/286 but sadly no answers/comments.
I tried
.where("departure", "in", ['Tokio','Berlin']);
and similar but nothing seems to work. Does anybody have an idea? If this is currently not supported can someone point me to another JS orm that works well will Deno which has the functionality?
Related
A very 'beginner level' doubt but i couldnt find a similiar answer anywhere so i thought lets ask the experts. How do I copy and paste multiple values for comparison in the 'filter' section for a table in DB vis. Take this example
As you can see i need to copy multiple 'rpt_per_id' and use them in the filter section. How do i do that, so that their indentation is good. I know pretty awkward question to ask but still, im not sure how to do this and this would save me some time.
I have one question about SQL injection, this is using strip_tags() inner mysql_real_escape_string().
have you ever try to inject mysql_real_escape_string(strip_tags()) code? so the full code would like this one
SELECT * FROM table WHERE query='".mysql_real_escape_string(strip_tags())."'";
I want to know if that can be safe, because I don't want to change the current code using PDO if it's safe :)
strip_tags() has absolutely nothing to do neither with sql injections nor with mysql_real_escape_string function, and utterly irrelevant to the question.
So, it adds nothing to sql security.
Hope your confusions now cleared and you are going to use prepared statements from now on.
I’m just starting to convert all of my site’s code into prepared statements for that extra security cushion but I find myself running into the same questions.
After some reading, I’ve decided to use prepared statements on all select queries, however I’m not sure if all of variables in these queries require to be used as “parameters” in the prepared statement.
For example:
Where some_column IS NULL
Where some_column = $_SESSION[‘some-session-var’]
Where some_column IN ($someArray)
Also, is there some way to give each condition a “name” rather than using the question mark? I feel like I’ve seen this before in documentation, but I’ve had no luck finding it since.
For example: Where city_name = :cityName. If so, how would I go about binding the parameters here?
Thanks,
Evan
Yes. All data going to the query should be added via placeholders.
Otherwise there will be no security at all.
Though prepared statements extremely limited and support only scalar values, so, your first and third examples require extra coding (examples can be found in plenty under the tag)
Named placeholders you mentioned belongs to PDO, mysqli don't support them
i require a generic accounting system database schema is there any sites which provide this ?
I think that would be difficult find something out of the box (it's quite complicated, starting from basic question: which country tax law you are targeting) , but you can look at http://www.databaseanswers.org/data_models/ , searching at least inspiration ;)
I think you can find a good answer in this question answers , It is about the double entry system , There is links and a simple data model in there. Please check.
Searching around the Microsoft.M assembly I found the SourceParser class and whole set of classes in the Microsoft.TSQL10 namespace that seem related to parsing SQL but I cannot find examples of how to use it.
I know the you can generate T-SQL easily enough, but can you consume it, manipulate the data structure and re-output a modified version of the SQL select?
No is apparently the answer. I received confirmation of this on the MSDN forums.