Custom Page, Query Database

[andrewlaw]

What files should I include on a custom page to query the database?

Per the documentation, this is my current code:

Code: Select all

<?php
const PREPEND_PATH = '../';
$hooks_dir = __DIR__;
include("$hooks_dir/../lib.php");

include_once("$hooks_dir/../header.php");

/* grant access to all logged users */
$mi = getMemberInfo();
if(!$mi['username'] || $mi['username'] === 'guest') {
    echo "Access denied";
    exit;
}

echo "<p>Coming Soon</p>";

include_once("$hooks_dir/../footer.php");

I would like to use the sql method which is part of incFunctions.php (line 342) unless there is a better way to query the database. Do I just include incFunctions.php or will it already be included when I include header.php or should I include some other file?

[jsetzer]

Just lib.php for using all available functions including authentication and sql/sqlValue functions.

If you need a custom page in default layout with navbar etc. also include header.php and footer.php. render your custom content between those.

[andrewlaw]

Thanks - is there documentation on how custom queries should be made using the sql functions?

[jsetzer]

https://bigprof.com/appgini/help/advanc ... erence#sql

https://bigprof.com/appgini/help/advanc ... e#sqlValue

[andrewlaw]

Thanks, so would this be the correct syntax for an update?

Usual sql:

Code: Select all

	$sql = "UPDATE address SET latitude = {$coordinates['latitude']}, longitude = {$coordinates['longitude']} WHERE id = {$data['id']}";
	$result = db_query($sql);

The appGini way:

Code: Select all

        $sql = "UPDATE address SET latitude = :latitude, longitude = :longitude WHERE id = :id";
        $params = [":latitude" => $coordinates['latitude'], ":longitude" => $coordinates['longitude'], ":id" => $data['selectedID'];
        sql($sql, $params);

[andrewlaw]

Turns out the sql function does not accept parameters (at least the type you would normally send to a sql function) which, in my opinion, creates an injection vulnerability.