FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » PHP/MySQL oddity
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: PHP/MySQL oddity [message #175484 is a reply to message #175483] Sun, 02 October 2011 02:30 Go to previous messageGo to previous message
Thomas 'PointedEars'  is currently offline  Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
Senior Member
Denis McMahon wrote:

> On Sat, 01 Oct 2011 17:31:38 -0400, Mason Barge wrote:
>> On Sat, 01 Oct 2011 20:31:31 +0200, Luuk <Luuk(at)invalid(dot)lan> wrote:
>>> On 01-10-2011 20:14, Mason Barge wrote:
>>>> <form name=...><input type=text . . . value = '<?php echo $info;?>'
>>> After PHP is done, and when $info contains "some'text" (without the
>>> double-quotes) What would you guess to be send to your browser?
>>>
>>> Indeed, it's:
>>> <form name=...><input type=text . . . value = 'some'text'.....
>>
>> Thank you very much.
>>
>> Changed it to value=\"$info\"
>
> You need to understand where and when to use the escape functions.
>
> Specifically, when using text that was supplied by the user in any sql
> statement, use e.g:
>
> <?php
>
> if (isset($_POST['fieldname']))
> {
> $fielddata = mysql_real_escape_string($_POST['fieldname']);
> }
> else
> {
> $fielddata = "some_default_value";
> }
>
> $sql = "UPDATE tablename SET fieldname = '{$fielddata}' WHERE
> _condition_";

This approach fails for

$fielddata = "That's my default";

And let us hope that the default value is not, e. g. because of an
accidental copy & paste operation,

$fielddata = "That'; DROP TABLE tablename; …";

It is a good idea to always escape values in database queries.

It is an even better idea to use prepared statements to do that only when
necessary and in the way required by the used DBMS. MySQLi and PDO are
among the DBA PHP modules which support this.

$mysqli = new Mysqli(…);
$stmt = $mysqli->prepare(
"UPDATE tablename SET fieldname=? WHERE foo = ?");
$stmt->bind_param('ss', $fielddata, $condition);
$stmt->execute();
$stmt->close();

(If you do not like the object-oriented variant you can still use the simple
functional variant. Function identifiers would be `mysqli_prepare' and so
forth.)

Using the mysqli module, and the corresponding MySQL versions, instead of
mysql, and corresponding MySQL versions, is /*strongly*/ recommended:

<http://php.net/manual/en/mysqli.overview.php>

However, I prefer PDO as it is more flexible in terms of configuration and
reuse:

$pdo = new PDO(…);
$stmt = $pdo->prepare(
"UPDATE tablename SET fieldname=:fieldname WHERE foo = :condition");
$stmt->execute(array(
'fieldname' => $fielddata,
'condition' => $condition
));
$stmt->closeCursor();

(You can also still bind your parameters the mysqli way.)

<http://php.net/manual/en/book.pdo.php>

In Zend Framework it would be as simple as

$db = new Zend_Db_Adapter_Pdo_Mysql(…);
$db->update('tablename',
array(
'fieldname' => $fielddata
),
array(
'foo' => $condition
));

< http://framework.zend.com/apidoc/1.11/db_Db_Adapter_Pdo_Mysql.html#%5CZend_ Db_Adapter_Pdo_Mysql>


PointedEars
--
realism: HTML 4.01 Strict
evangelism: XHTML 1.0 Strict
madness: XHTML 1.1 as application/xhtml+xml
-- Bjoern Hoehrmann
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: OCI.DLL and libcs.dll?
Next Topic: Re: NoDQ.com > Columns > WWE Hell in a Cell Preview by TJR Staff
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Dec 01 00:08:17 GMT 2024

Total time taken to generate the page: 0.03952 seconds