Web Analytics Made Easy -
StatCounter updating function query - CodingForum

Announcement

Collapse
No announcement yet.

updating function query

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • updating function query

    Hi, i want to add mysql_real_escape_string to the query function, just not sure exactly where would be the best place for it.

    I cannot replace my mysql_escape_string in the files itself because since it requires a db connection, it fails even if i put it after the $db new class call.

    So am left with placing it in at the source and in the query function itself im just not 100% where would be best.

    here is the function.

    PHP Code:

    /* public: perform a query */
      
    function query($Query_String) {
        
    /* No empty queries, please, since PHP4 chokes on them. */
        
    if ($Query_String == "")
          
    /* The empty query string is passed on from the constructor,
           * when calling the class without a query, e.g. in situations
           * like these: '$db = new DB_Sql_Subclass;'
           */
          
    return 0;

        if (!
    $this->connect()) {
          return 
    0/* we already complained in connect() about that. */
        
    };

        
    # New query, discard previous result.
        
    if ($this->Query_ID) {
          
    $this->free();
        }

        if (
    $this->Debug)
          
    printf("Debug: query = %s<br>\n"$Query_String);

        
    $this->Query_ID = @mysql_query($Query_String,$this->Link_ID);
        
    $this->Row   0;
        
    $this->Errno mysql_errno();
        
    $this->Error mysql_error();
        if (!
    $this->Query_ID) {
          
    $this->halt("Invalid SQL: ".$Query_String);
        }

        
    # Will return nada if it fails. That's fine.
        
    return $this->Query_ID;
      } 

    and this is the free function where i was considering adding the escape.


    PHP Code:

    /* public: discard the query result */
      
    function free() {
          @
    mysql_free_result($this->Query_ID);
          
    $this->Query_ID 0;
      } 
    Last edited by durangod; Aug 24, 2011, 01:46 AM.
    I am not crazy, my computer had me checked :)
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave

  • #2
    Since you have a separate class method just to run queries, you'll probably have to sanitise the whole query instead of just the user inputs - which "in theory" should not make any difference.

    Try:
    PHP Code:
    $this->Query_ID = @mysql_query(mysql_real_escape_string($Query_String),$this->Link_ID); 

    Comment


    • #3
      Thanks,
      question, are you saying to add a new line to the free function or are you saying to modify that similar line in the if debug portion?
      I am not crazy, my computer had me checked :)
      If a php file only has php code within it you do not need to use the closing php tag
      A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
      durangod is short for durango dave

      Comment


      • #4
        I am suggesting modifying the line in your function query($Query_String) and sanitise the whole query string

        Comment


        • #5
          oh ok got ya, thanks for that, ill give it a whirl...
          I am not crazy, my computer had me checked :)
          If a php file only has php code within it you do not need to use the closing php tag
          A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
          durangod is short for durango dave

          Comment


          • #6
            sorry about before i had it in the wrong place lol and a typo as well,

            i got it, i have

            PHP Code:

            # New query, discard previous result.
                
            if ($this->Query_ID) {
                 
            $this->Query_ID = @mysql_query(mysql_real_escape_string($Query_String),$this->Link_ID);
                 
            $this->free();
                } 
            so in affect every time i do a query, regardless of the type or query it will sanatize it this way.
            Last edited by durangod; Aug 24, 2011, 04:17 AM.
            I am not crazy, my computer had me checked :)
            If a php file only has php code within it you do not need to use the closing php tag
            A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
            durangod is short for durango dave

            Comment


            • #7
              Sanitising the entire string will completely screw it up.

              SELECT * FROM table WHERE user=\'demo\'

              "Tango says double quotes with a single ( ' ) quote in the middle"
              '$Name says single quotes with a double ( " ) quote in the middle'
              "Tango says double quotes ( \" ) must escape a double quote"
              '$Name single quotes ( \' ) must escape a single quote'

              Comment


              • #8
                yes tango your are right, that was one of my msql errors from before, it does seem to work where it is now but did not work and i got that exact error you mentioned when i had it in the other location, not sure why it seems to work where it is now. Well to be honest im not even if its working where it is, it does not toss an error but i guess i should not assume anything here.

                So what are my options here bud, i am unable to change it on the php page, even after the $db class call (which i should have an open db connection at that time) it tells me there is none when i use the new escape on the requests. So i thought my only option was to go directly to the source itself, that way i am assured of having an open connection.
                I am not crazy, my computer had me checked :)
                If a php file only has php code within it you do not need to use the closing php tag
                A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
                durangod is short for durango dave

                Comment

                Working...
                X