Request database_queryf() functions.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

	After having been talking to lots of people in irc lately who are
haveing problems with SQL injection etc i think that haveing a
*_queryf() function would be really useful to help people esp when it
comes to integers and the id=$id where $id = "1 OR" and name='$name'
where $name = "name' OR" issues for example.

	Most of the sprintf formatting would take care of itself but any %s
would automatically have addslashes() applied.

I have a php implementation below for the mysql database.

Let me know what you think or if i have missed anything.

<?php


/* ~ * MySQL queryf() function example. ~ */

define('DEBUG', true);

// usage:
// mysql_queryf($query, $link_identifier = NULL, $arg1, $arg2....$argN);

function mysql_queryf() {
~    $args = func_get_args();
~    if(!isset($args[0]) || !(is_null($args[1]) || is_resource($args[1])
) ){
~        return false;
~    }

~    $formatString = array_shift($args);
~    $linkIdentifier = array_shift($args);

~    $parts = preg_split('/%([
0]|\'.)?-?[0-9]*(\\.[0-9]*)*[%abcdufosxX]/', $formatString, -1,
PREG_SPLIT_OFFSET_CAPTURE);
~    $newString = "";
~    for($i = 0; $i < count($parts); $i++){
~        $start = $parts[$i][1] + strlen($parts[$i][0]);
~        if(isset($parts[$i + 1][1])){
~            $length = $parts[$i + 1][1] - $start;
~        }else{
~            $length = strlen($formatString) - $start;
~        }
~        $formatCode = substr($formatString, $start, $length);
~        $newString .= $parts[$i][0].sprintf($formatCode,
(isset($args[$i]) ? ((substr($formatCode, -1, 1) == 's') ?
addslashes($args[$i]) : $args[$i]) : NULL));
~    }
~    if(DEBUG === true){
~        print("Query is:\n".$newString."\n");
~    }else{
~        if(is_resource($linkIdentifier)){
~            return mysql_query($newString, $linkIdentifier);
~        }else{
~            return mysql_query($newString);
~        }
~    }
}


mysql_queryf('SELECT * FROM blah WHERE id=%d AND name=\'%\'.-34s\' AND account=\'%0.2f\' AND blah=%06d AND value > \'30%%\'', NULL, '1 OR', 'name\'s');

?>

Output:

Query is:
SELECT * FROM blah WHERE id=1 AND
name='name\'s...........................' AND account='0.00' AND
blah=000000 AND value > '30%'


- -- Regards, William Bailey. Pro-Net Internet Services Ltd. http://www.pro-net.co.uk/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFArKwGzSfrYDJMXmERAlTAAJ9NMfOG3nLlsU4kPGPDB0UekYh70QCfYBqS
8FDg6oC1MtUWgaK6A/GYmsg=
=MtCS
-----END PGP SIGNATURE-----

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux