...

View Full Version : updating function query



durangod
08-24-2011, 06:43 AM
Hi, i want to add mysql_real_escape_string to the query function, just not sure exactly where would be the best place for it.

I cannot replace my mysql_escape_string in the files itself because since it requires a db connection, it fails even if i put it after the $db new class call.

So am left with placing it in at the source and in the query function itself im just not 100% where would be best.

here is the function.




/* public: perform a query */
function query($Query_String) {
/* No empty queries, please, since PHP4 chokes on them. */
if ($Query_String == "")
/* The empty query string is passed on from the constructor,
* when calling the class without a query, e.g. in situations
* like these: '$db = new DB_Sql_Subclass;'
*/
return 0;

if (!$this->connect()) {
return 0; /* we already complained in connect() about that. */
};

# New query, discard previous result.
if ($this->Query_ID) {
$this->free();
}

if ($this->Debug)
printf("Debug: query = %s<br>\n", $Query_String);

$this->Query_ID = @mysql_query($Query_String,$this->Link_ID);
$this->Row = 0;
$this->Errno = mysql_errno();
$this->Error = mysql_error();
if (!$this->Query_ID) {
$this->halt("Invalid SQL: ".$Query_String);
}

# Will return nada if it fails. That's fine.
return $this->Query_ID;
}






and this is the free function where i was considering adding the escape.





/* public: discard the query result */
function free() {
@mysql_free_result($this->Query_ID);
$this->Query_ID = 0;
}

webdev1958
08-24-2011, 08:22 AM
Since you have a separate class method just to run queries, you'll probably have to sanitise the whole query instead of just the user inputs - which "in theory" should not make any difference.

Try:


$this->Query_ID = @mysql_query(mysql_real_escape_string($Query_String),$this->Link_ID);

durangod
08-24-2011, 08:29 AM
Thanks,
question, are you saying to add a new line to the free function or are you saying to modify that similar line in the if debug portion?

webdev1958
08-24-2011, 08:36 AM
I am suggesting modifying the line in your function query($Query_String) and sanitise the whole query string

durangod
08-24-2011, 08:43 AM
oh ok got ya, thanks for that, ill give it a whirl...

durangod
08-24-2011, 09:06 AM
sorry about before i had it in the wrong place lol and a typo as well,

i got it, i have




# New query, discard previous result.
if ($this->Query_ID) {
$this->Query_ID = @mysql_query(mysql_real_escape_string($Query_String),$this->Link_ID);
$this->free();
}



so in affect every time i do a query, regardless of the type or query it will sanatize it this way.

tangoforce
08-24-2011, 01:51 PM
Sanitising the entire string will completely screw it up.

SELECT * FROM table WHERE user=\'demo\'

:rolleyes:

durangod
08-24-2011, 06:18 PM
yes tango your are right, that was one of my msql errors from before, it does seem to work where it is now but did not work and i got that exact error you mentioned when i had it in the other location, not sure why it seems to work where it is now. Well to be honest im not even if its working where it is, it does not toss an error but i guess i should not assume anything here.

So what are my options here bud, i am unable to change it on the php page, even after the $db class call (which i should have an open db connection at that time) it tells me there is none when i use the new escape on the requests. So i thought my only option was to go directly to the source itself, that way i am assured of having an open connection.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum