Jump to content
MakeWebGames

Help with DB Class.


Haunted Dawg

Recommended Posts

I am trying to set a params to make my queries more secure. I have a code that in place of putting for example:

mysql_query("UPDATE users SET username='$_POST['username']' WHERE userid=$ir['userid']");

That's a simple example.

I am trying to make it like this:

$my = new dbDrive();

$my->dbQuery('UPDATE users SET username = [+n] WHERE userid = [+n]', array($_POST['username'], $self->userid));

As you can notice. The array() represen'ts the [+n]. But unfortunatly it only work's for the first one and not the rest.

I also am currently using this:

$sel = $my->dbQuery("SELECT username,userid FROM users WHERE userid = [+n]", array(1));

$soc = $my->dbAssoc($soc);

It work's perfect with one '[+n]' but not more.

Here is my function:

 

   function dbQuery($DB_Query, $params = array())
   {
       if( !empty($params) )
       {
           $i = 0;
           $yes = $params;
           $query = $DB_Query;
           foreach ($yes as $no)
           {
               $exp = explode('[+n]', $DB_Query);
               if( is_string($exp) )
               {
                   $search = '[+n]';
                   $replace = mysql_real_escape_string(trim($no[$i]));
                   $query = str_replace($search, $replace, $query);
               }
               else
               {
                   $search = '[+n]';
                   $replace = abs(@intval($no[$i]));
                   $query = str_replace($search, $replace, $query);
               }
               $i++;
           }
           $query = $this->dbClean($query);
           $this->last_query = $DB_Query;
           $this->num_querys++;
           $this->result = mysql_query($query, $this->connection_id) or $this->dbError();
           return $this->result;
       }
       else
       {    
           $query = $this->dbClean($query);
           $this->last_query = $DB_Query;
           $this->num_querys++;
           $this->result = mysql_query($query, $this->connection_id) or $this->dbError();
           return $this->result;
       }
   }

 

This use's some of the MCCode and the example came from coderstryke's example.

Link to comment
Share on other sites

Re: Help with DB Class.

 

$my->dbQuery('SELECT * FROM `table` WHERE `x` = "%d" AND `y` = "%s"', $x, $y);

// Then

function dbQuery()
{
   $args = func_get_args();
   $query = vsprintf( array_shift($args), $args);
   // ... etc
}

 

Or, don't bother, and use adodb or something since it'll be much more beneficial in the long run

Link to comment
Share on other sites

Re: Help with DB Class.

Is it possible you're making a mountain out of a molehill?

A query string is just a string. Why go through permutations a contortionist would have have trouble with just to make a query string?

 

It's my opinion that adding all that extra stuff could even make your code less secure. All that replacing, if you don't understand 110% what is going on, could come back to bite you in the rear.

I would suggest making methods in your db class that validate and cleanse one thing at a time. Have something for strings that allow html, strings with no html, integers with no negatives, integers with negatives, and so on.

Cleanse the individual variables that are user submitted. You might even cleans some variables with values that are set by the script if needed.

Then just make a query string on the fly either by concatenating or using sprintf.

Link to comment
Share on other sites

Re: Help with DB Class.

Floydian.. that is only some of my code.. and i tend not to put all my code up here i only put up what's neccesary to get it working.

My db class in some how check's my entire database for maliciouse thing's and in designated place's check's for negative number's that should not be there.

Got anything further to say about my DB Class i'm willing to post back.

Link to comment
Share on other sites

Re: Help with DB Class.

Luke. *gasp* at mccode v2.. pfft no thank you hehe.

My code as of yet i do not know how fast it is nor how slow it is. I will try and speed it up once i get everything working so i can test it all once i get it all working.

I was also thinking about doing something to the sort of:

$my->dbQuery('UPDATE `users` SET `username` = [+n] WHERE `userid` = [+n]', array($my->dbClean($username),$my->dbClean($userid)));

And again.. my dbClean function also check's wether it is a number or a string. That work's perfectly fine tho.

All i want to do is keep my own function but get it working.

I think preg_replace will work. but i do not know how to check for thing's. I do not know the REGEX to use. I saw something like this:

preg_replace("`^([+n])$`ims', $replacement, $query);

But i am not sure if this work's or not.

Any idea's?

Link to comment
Share on other sites

Re: Help with DB Class.

I do not want to use a engine created by some one else and take's me about 2 week's to get used to it.

Rather stick with this one as i created it and am used to all the function's. Or either go direct with mysql_query(""); and secure the input's above.

I would rather also like to stay away from sprintf() since so many people are using it now a day's and rumours going around is that it is not as secure as people say it is. Directly from php.net website itself i think.

In a way my function perform's as sprintf. But knowing that i can add more check's to my function the hole time to me that seem's safer. You might think i am stupid but i am not. For example.

$sql = sprintf('UPDATE `users` SET `username` = \'%d\' WHERE `userid`= %s', $_POST['username'], $ir['userid']);

Yes we can make that secure. But how secure? Of course we can add MRES & htmlentities to username and etc.

But what if my name for example is:

%_Kyle_%,

%death_row%

Trust me i have seen name's like that. And some where on this forum i saw that some one stated with announcement mod using sprintf and when he used % an error occured.

Atleast with mine i can alway's change something around. Knowing what to do. Knowing i wont mess it up. ETC.

But i suppose if no one is going to fix that code up ill go post it up on phpfreaks forum and await a faster response on how to fix it than rather people redirecting me to different class engine's.

Link to comment
Share on other sites

Re: Help with DB Class.

Well I'm not going to fix or create the code for you but I will help illustrate :)

First take your query string and explode it into an array so you'll get something like so

 

$x = explode("[+n]", "UPDATE `users` SET `username` = [+n] WHERE `userid` = [+n]");

Will yield...

Array
(
   [0] => UPDATE `users` SET `username` = 
   [1] =>  WHERE `userid` = 
   [2] => 
)

 

Then loop though your query parameters and add them to the end of said pieces, then combine the pieces and you'll have a query ready to submit to mySQL.

:)

Link to comment
Share on other sites

Re: Help with DB Class.

 

Is it possible you're making a mountain out of a molehill?

Sort of like you? You couldn't get INNODB installed on you machine so now there is only myISAM where you have to create some quasi transaction routines? But yea I guess your interpreted PHP code is way faster then the compiled c/c++ written INNODB.

This is my favorite...

Try using smarty ;)

It has a great text replacement feature.

http://www.smarty.net/

Use the smarty TEMPLATE engine to do text replacement on a query string LOL. So what create a template file for each sql command and run it though $smarty->fetch. Now that would be considered making a mountain.

Link to comment
Share on other sites

Re: Help with DB Class.

The %'s in a name like that wouldn't pose a problem with a simple = deal in a query.

Where you can get into trouble is when you use like in the query. Naturally, one shouldn't be allowing anything but letters, numbers, underscores, and spaces in names IMHO.

sprintf is not a means of securing anything. It is a function that formats a string. It's how you format a string that gives you security or weaknesses. It's that way with anything. Using encryption doesn't mean your data is secure if you leave the key in the open.... or use something simple like "key" for your key lol

Link to comment
Share on other sites

Guest Anonymous

Re: Help with DB Class.

lmao Codestryke! I noticed that reference to Smarty and had to reply.

Floydian... Go on, please explain WHY smarty is ideal for this purpose.

And Killah, just explain Why this is in the Pro PHP section when it really should be under the beginners section. Assuming you had actually read the f..ing manual you would have realized that parameter replacement is BUILT IN to the MySQL(i) extension libraries, and out-performs any PHP code you can produce.

Link to comment
Share on other sites

Re: Help with DB Class.

Nyna, my reference to smarty was to illustrate the absurdity of what killah is trying to do by suggesting he do something even more absurd.

Killah, we could tell you how to do what you're doing, but why would we tell you how to do something that is completely the wrong way to do it?

If you want to do something as assinine as what you're doing when the ENTIRE CE COMMUNITY is telling you it's a bad idea, then figure it out yourself, or try smarty like I said. It does have fantastic text replacement features. ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...