How to use parameterized queries/prepared statements in opencart?

Question

How to use parameterized queries/prepared statements in opencart. I have a number of queries being used in opencart and I need to use parameterized structure to prevent sql injection in opencart. Below is a sample insert statement being used :

$result = $this->db->query("INSERT INTO ".DB_PREFIX."xxxx SET 
pqrs = '".$this->db->escape($data['pqrs'])."',
 opiu = '".(int)$data['opiu']."', ttttt = '".(int)$data['ttttt']."',
 yyyyy = '".$this->db->escape($data['yyyyy'])."', bbbbb = '".$data['bbbbb']."',
 status = 1, ppppp = '".$data['ppppp']."'");

How can I convert this query into parametric one?

Answer 1

The mPDO adaptor has pre-written functionality for prepared statements, but the DB object through which it is accessed doesn't, and the rest of the adaptors don't either. If you want to access these functions, you can change the accessibility of the mPO class' $connection and $statement properties, and the DB class' $adaptor from private to public - or create getter functions for them.

But code relying on this would break if you switch from mPDO to say, mysqli, and would undermine the design of the system.

So in summary: You can use prepared statements through mPDO and some quick changes - at the cost of breaking the exchangeablilty of MySQL adaptors - or it seems you'll have to implement the entire functionality yourself.

Answer 2

It looks like OpenCart does not have support for prepared statement in their custom DB interface. You can send a request to the developers that such methods will be implemented or you can write them on your own.