| Re: PHP/MySQL oddity [message #175484 is a reply to message #175483] |
Sun, 02 October 2011 02:30   |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
|
Senior Member |
|
|
Denis McMahon wrote:
> On Sat, 01 Oct 2011 17:31:38 -0400, Mason Barge wrote:
>> On Sat, 01 Oct 2011 20:31:31 +0200, Luuk <Luuk(at)invalid(dot)lan> wrote:
>>> On 01-10-2011 20:14, Mason Barge wrote:
>>>> <form name=...><input type=text . . . value = '<?php echo $info;?>'
>>> After PHP is done, and when $info contains "some'text" (without the
>>> double-quotes) What would you guess to be send to your browser?
>>>
>>> Indeed, it's:
>>> <form name=...><input type=text . . . value = 'some'text'.....
>>
>> Thank you very much.
>>
>> Changed it to value=\"$info\"
>
> You need to understand where and when to use the escape functions.
>
> Specifically, when using text that was supplied by the user in any sql
> statement, use e.g:
>
> <?php
>
> if (isset($_POST['fieldname']))
> {
> $fielddata = mysql_real_escape_string($_POST['fieldname']);
> }
> else
> {
> $fielddata = "some_default_value";
> }
>
> $sql = "UPDATE tablename SET fieldname = '{$fielddata}' WHERE
> _condition_";
This approach fails for
$fielddata = "That's my default";
And let us hope that the default value is not, e. g. because of an
accidental copy & paste operation,
$fielddata = "That'; DROP TABLE tablename; …";
It is a good idea to always escape values in database queries.
It is an even better idea to use prepared statements to do that only when
necessary and in the way required by the used DBMS. MySQLi and PDO are
among the DBA PHP modules which support this.
$mysqli = new Mysqli(…);
$stmt = $mysqli->prepare(
"UPDATE tablename SET fieldname=? WHERE foo = ?");
$stmt->bind_param('ss', $fielddata, $condition);
$stmt->execute();
$stmt->close();
(If you do not like the object-oriented variant you can still use the simple
functional variant. Function identifiers would be `mysqli_prepare' and so
forth.)
Using the mysqli module, and the corresponding MySQL versions, instead of
mysql, and corresponding MySQL versions, is /*strongly*/ recommended:
<http://php.net/manual/en/mysqli.overview.php>
However, I prefer PDO as it is more flexible in terms of configuration and
reuse:
$pdo = new PDO(…);
$stmt = $pdo->prepare(
"UPDATE tablename SET fieldname=:fieldname WHERE foo = :condition");
$stmt->execute(array(
'fieldname' => $fielddata,
'condition' => $condition
));
$stmt->closeCursor();
(You can also still bind your parameters the mysqli way.)
<http://php.net/manual/en/book.pdo.php>
In Zend Framework it would be as simple as
$db = new Zend_Db_Adapter_Pdo_Mysql(…);
$db->update('tablename',
array(
'fieldname' => $fielddata
),
array(
'foo' => $condition
));
< http://framework.zend.com/apidoc/1.11/db_Db_Adapter_Pdo_Mysql.html#%5CZend_ Db_Adapter_Pdo_Mysql>
PointedEars
--
realism: HTML 4.01 Strict
evangelism: XHTML 1.0 Strict
madness: XHTML 1.1 as application/xhtml+xml
-- Bjoern Hoehrmann
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]