From a3c848f0ffc4c2f212a013ce9eac7cd18cec40ee Mon Sep 17 00:00:00 2001 From: Mr-Kaos <65438130+mr-kaos@users.noreply.github.com> Date: Wed, 14 May 2025 19:53:03 +1000 Subject: [PATCH] Ensured parametrised queries respect data types --- lib/PicoDb/StatementHandler.php | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/lib/PicoDb/StatementHandler.php b/lib/PicoDb/StatementHandler.php index 5abd995..7cb7dce 100644 --- a/lib/PicoDb/StatementHandler.php +++ b/lib/PicoDb/StatementHandler.php @@ -279,12 +279,36 @@ protected function bindParams(PDOStatement $pdoStatement) } foreach ($this->positionalParams as $value) { - $pdoStatement->bindValue($i, $value, PDO::PARAM_STR); + switch (true) { + case is_numeric($value): + $pdoStatement->bindValue($i, $value, PDO::PARAM_INT); + break; + case is_bool($value): + $pdoStatement->bindValue($i, $value, PDO::PARAM_BOOL); + break; + case $value === null: + $pdoStatement->bindValue($i, $value, PDO::PARAM_NULL); + break; + default: + $pdoStatement->bindValue($i, $value, PDO::PARAM_STR); + } $i++; } foreach ($this->namedParams as $name => $value) { - $pdoStatement->bindValue($name, $value, PDO::PARAM_STR); + switch (true) { + case is_numeric($value): + $pdoStatement->bindValue($name, $value, PDO::PARAM_INT); + break; + case is_bool($value): + $pdoStatement->bindValue($name, $value, PDO::PARAM_BOOL); + break; + case $value === null: + $pdoStatement->bindValue($i, $value, PDO::PARAM_NULL); + break; + default: + $pdoStatement->bindValue($name, $value, PDO::PARAM_STR); + } } }