I have the following query..
$query = "OR col2 > 5 OR col3 > 10" #Note this is created dynamically
$result = $db->prepare("SELECT * FROM table WHERE (columnname = :pageurlmatch $query)");
$result->bindValue(':pageurlmatch', $shorturl, SQLITE3_TEXT);
$shorturl is a user input where they enter a URL. $query is a string that is dynamically generated.
If a user includes ' in their URL, I get the following error:
Warning: SQLite3::prepare(): Unable to prepare statement: 1, unrecognized token: ":" in XXXX on line 125
Fatal error: Call to a member function bindValue() on a non-object in XXXX on line 128
How do I protect this query against quotes? There should not even be any quotes in the input since it is supposed to be a URL.
Aucun commentaire:
Enregistrer un commentaire