Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,468
    Thanks
    278
    Thanked 32 Times in 31 Posts

    updating function query

    Hi, i want to add mysql_real_escape_string to the query function, just not sure exactly where would be the best place for it.

    I cannot replace my mysql_escape_string in the files itself because since it requires a db connection, it fails even if i put it after the $db new class call.

    So am left with placing it in at the source and in the query function itself im just not 100% where would be best.

    here is the function.

    PHP Code:

    /* public: perform a query */
      
    function query($Query_String) {
        
    /* No empty queries, please, since PHP4 chokes on them. */
        
    if ($Query_String == "")
          
    /* The empty query string is passed on from the constructor,
           * when calling the class without a query, e.g. in situations
           * like these: '$db = new DB_Sql_Subclass;'
           */
          
    return 0;

        if (!
    $this->connect()) {
          return 
    0/* we already complained in connect() about that. */
        
    };

        
    # New query, discard previous result.
        
    if ($this->Query_ID) {
          
    $this->free();
        }

        if (
    $this->Debug)
          
    printf("Debug: query = %s<br>\n"$Query_String);

        
    $this->Query_ID = @mysql_query($Query_String,$this->Link_ID);
        
    $this->Row   0;
        
    $this->Errno mysql_errno();
        
    $this->Error mysql_error();
        if (!
    $this->Query_ID) {
          
    $this->halt("Invalid SQL: ".$Query_String);
        }

        
    # Will return nada if it fails. That's fine.
        
    return $this->Query_ID;
      } 

    and this is the free function where i was considering adding the escape.


    PHP Code:

    /* public: discard the query result */
      
    function free() {
          @
    mysql_free_result($this->Query_ID);
          
    $this->Query_ID 0;
      } 
    Last edited by durangod; 08-24-2011 at 06:46 AM.

  • #2
    Banned
    Join Date
    Apr 2011
    Posts
    656
    Thanks
    14
    Thanked 69 Times in 69 Posts
    Since you have a separate class method just to run queries, you'll probably have to sanitise the whole query instead of just the user inputs - which "in theory" should not make any difference.

    Try:
    PHP Code:
    $this->Query_ID = @mysql_query(mysql_real_escape_string($Query_String),$this->Link_ID); 

  • #3
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,468
    Thanks
    278
    Thanked 32 Times in 31 Posts
    Thanks,
    question, are you saying to add a new line to the free function or are you saying to modify that similar line in the if debug portion?

  • #4
    Banned
    Join Date
    Apr 2011
    Posts
    656
    Thanks
    14
    Thanked 69 Times in 69 Posts
    I am suggesting modifying the line in your function query($Query_String) and sanitise the whole query string

  • Users who have thanked webdev1958 for this post:

    durangod (08-24-2011)

  • #5
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,468
    Thanks
    278
    Thanked 32 Times in 31 Posts
    oh ok got ya, thanks for that, ill give it a whirl...

  • #6
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,468
    Thanks
    278
    Thanked 32 Times in 31 Posts
    sorry about before i had it in the wrong place lol and a typo as well,

    i got it, i have

    PHP Code:

    # New query, discard previous result.
        
    if ($this->Query_ID) {
         
    $this->Query_ID = @mysql_query(mysql_real_escape_string($Query_String),$this->Link_ID);
         
    $this->free();
        } 
    so in affect every time i do a query, regardless of the type or query it will sanatize it this way.
    Last edited by durangod; 08-24-2011 at 09:17 AM.

  • #7
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,474
    Thanks
    63
    Thanked 537 Times in 524 Posts
    Sanitising the entire string will completely screw it up.

    SELECT * FROM table WHERE user=\'demo\'

    I can't really think of anything to write here now...

  • #8
    Senior Coder
    Join Date
    Nov 2010
    Posts
    1,468
    Thanks
    278
    Thanked 32 Times in 31 Posts
    yes tango your are right, that was one of my msql errors from before, it does seem to work where it is now but did not work and i got that exact error you mentioned when i had it in the other location, not sure why it seems to work where it is now. Well to be honest im not even if its working where it is, it does not toss an error but i guess i should not assume anything here.

    So what are my options here bud, i am unable to change it on the php page, even after the $db class call (which i should have an open db connection at that time) it tells me there is none when i use the new escape on the requests. So i thought my only option was to go directly to the source itself, that way i am assured of having an open connection.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •