When attempting to execute an SQL query using the bindValue method to parametrize the LIMIT clause, PHP PDO may add single quotes to the variable values. This behavior can lead to SQL syntax errors as observed in the provided code snippet:
$fetchPictures->prepare("SELECT *
FROM pictures
WHERE album = :albumId
ORDER BY id ASC
LIMIT :skip, :max");
$fetchPictures->bindValue(':albumId', $_GET['albumid'], PDO::PARAM_INT);
if(isset($_GET['skip'])) {
$fetchPictures->bindValue(':skip', trim($_GET['skip']), PDO::PARAM_INT);
} else {
$fetchPictures->bindValue(':skip', 0, PDO::PARAM_INT);
}
$fetchPictures->bindValue(':max', $max, PDO::PARAM_INT);
$fetchPictures->execute() or die(print_r($fetchPictures->errorInfo()));
$pictures = $fetchPictures->fetchAll(PDO::FETCH_ASSOC);The error message "You have an error in your SQL syntax" is likely caused by single quotes being added to the :skip variable in the LIMIT clause.
It is believed that this behavior is related to a long-standing bug in PDO reported in 2008: https://bugs.php.net/bug.php?id=44639
Solution:
As suggested in the response, casting the values to integers before passing them to the bindValue method solves this issue:
$fetchPictures->bindValue(':skip', (int) trim($_GET['skip']), PDO::PARAM_INT);By converting the $_GET['skip'] variable to an integer using (int) before binding, we prevent PDO from adding single quotes and ensure that the SQL query is executed correctly.
The above is the detailed content of How to Avoid SQL Injection When Using `bindValue` in a LIMIT Clause?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
