Haunted Dawg Posted January 19, 2009 Share Posted January 19, 2009 I am trying to set a params to make my queries more secure. I have a code that in place of putting for example: mysql_query("UPDATE users SET username='$_POST['username']' WHERE userid=$ir['userid']"); That's a simple example. I am trying to make it like this: $my = new dbDrive(); $my->dbQuery('UPDATE users SET username = [+n] WHERE userid = [+n]', array($_POST['username'], $self->userid)); As you can notice. The array() represen'ts the [+n]. But unfortunatly it only work's for the first one and not the rest. I also am currently using this: $sel = $my->dbQuery("SELECT username,userid FROM users WHERE userid = [+n]", array(1)); $soc = $my->dbAssoc($soc); It work's perfect with one '[+n]' but not more. Here is my function: function dbQuery($DB_Query, $params = array()) { if( !empty($params) ) { $i = 0; $yes = $params; $query = $DB_Query; foreach ($yes as $no) { $exp = explode('[+n]', $DB_Query); if( is_string($exp) ) { $search = '[+n]'; $replace = mysql_real_escape_string(trim($no[$i])); $query = str_replace($search, $replace, $query); } else { $search = '[+n]'; $replace = abs(@intval($no[$i])); $query = str_replace($search, $replace, $query); } $i++; } $query = $this->dbClean($query); $this->last_query = $DB_Query; $this->num_querys++; $this->result = mysql_query($query, $this->connection_id) or $this->dbError(); return $this->result; } else { $query = $this->dbClean($query); $this->last_query = $DB_Query; $this->num_querys++; $this->result = mysql_query($query, $this->connection_id) or $this->dbError(); return $this->result; } } This use's some of the MCCode and the example came from coderstryke's example. Quote Link to comment Share on other sites More sharing options...
POG1 Posted January 19, 2009 Share Posted January 19, 2009 Re: Help with DB Class. use this... http://criminalexistence.com/ceforums/i ... ic=18421.0 Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 19, 2009 Author Share Posted January 19, 2009 Re: Help with DB Class. No thank you. I want to use my own one. Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 20, 2009 Author Share Posted January 20, 2009 Re: Help with DB Class. Bump Quote Link to comment Share on other sites More sharing options...
codestryke Posted January 20, 2009 Share Posted January 20, 2009 Re: Help with DB Class. You can't use str_replace because it replaces all instances of needle with haystack. That's why only the first param works ;) Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 21, 2009 Author Share Posted January 21, 2009 Re: Help with DB Class. Will preg_replace work for this? Quote Link to comment Share on other sites More sharing options...
Decepti0n Posted January 21, 2009 Share Posted January 21, 2009 Re: Help with DB Class. $my->dbQuery('SELECT * FROM `table` WHERE `x` = "%d" AND `y` = "%s"', $x, $y); // Then function dbQuery() { $args = func_get_args(); $query = vsprintf( array_shift($args), $args); // ... etc } Or, don't bother, and use adodb or something since it'll be much more beneficial in the long run Quote Link to comment Share on other sites More sharing options...
Floydian Posted January 21, 2009 Share Posted January 21, 2009 Re: Help with DB Class. Is it possible you're making a mountain out of a molehill? A query string is just a string. Why go through permutations a contortionist would have have trouble with just to make a query string? It's my opinion that adding all that extra stuff could even make your code less secure. All that replacing, if you don't understand 110% what is going on, could come back to bite you in the rear. I would suggest making methods in your db class that validate and cleanse one thing at a time. Have something for strings that allow html, strings with no html, integers with no negatives, integers with negatives, and so on. Cleanse the individual variables that are user submitted. You might even cleans some variables with values that are set by the script if needed. Then just make a query string on the fly either by concatenating or using sprintf. Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 21, 2009 Author Share Posted January 21, 2009 Re: Help with DB Class. Floydian.. that is only some of my code.. and i tend not to put all my code up here i only put up what's neccesary to get it working. My db class in some how check's my entire database for maliciouse thing's and in designated place's check's for negative number's that should not be there. Got anything further to say about my DB Class i'm willing to post back. Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 21, 2009 Author Share Posted January 21, 2009 Re: Help with DB Class. Luke. *gasp* at mccode v2.. pfft no thank you hehe. My code as of yet i do not know how fast it is nor how slow it is. I will try and speed it up once i get everything working so i can test it all once i get it all working. I was also thinking about doing something to the sort of: $my->dbQuery('UPDATE `users` SET `username` = [+n] WHERE `userid` = [+n]', array($my->dbClean($username),$my->dbClean($userid))); And again.. my dbClean function also check's wether it is a number or a string. That work's perfectly fine tho. All i want to do is keep my own function but get it working. I think preg_replace will work. but i do not know how to check for thing's. I do not know the REGEX to use. I saw something like this: preg_replace("`^([+n])$`ims', $replacement, $query); But i am not sure if this work's or not. Any idea's? Quote Link to comment Share on other sites More sharing options...
Floydian Posted January 21, 2009 Share Posted January 21, 2009 Re: Help with DB Class. Try using smarty ;) It has a great text replacement feature. http://www.smarty.net/ Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 21, 2009 Author Share Posted January 21, 2009 Re: Help with DB Class. I do not want to use a engine created by some one else and take's me about 2 week's to get used to it. Rather stick with this one as i created it and am used to all the function's. Or either go direct with mysql_query(""); and secure the input's above. I would rather also like to stay away from sprintf() since so many people are using it now a day's and rumours going around is that it is not as secure as people say it is. Directly from php.net website itself i think. In a way my function perform's as sprintf. But knowing that i can add more check's to my function the hole time to me that seem's safer. You might think i am stupid but i am not. For example. $sql = sprintf('UPDATE `users` SET `username` = \'%d\' WHERE `userid`= %s', $_POST['username'], $ir['userid']); Yes we can make that secure. But how secure? Of course we can add MRES & htmlentities to username and etc. But what if my name for example is: %_Kyle_%, %death_row% Trust me i have seen name's like that. And some where on this forum i saw that some one stated with announcement mod using sprintf and when he used % an error occured. Atleast with mine i can alway's change something around. Knowing what to do. Knowing i wont mess it up. ETC. But i suppose if no one is going to fix that code up ill go post it up on phpfreaks forum and await a faster response on how to fix it than rather people redirecting me to different class engine's. Quote Link to comment Share on other sites More sharing options...
codestryke Posted January 21, 2009 Share Posted January 21, 2009 Re: Help with DB Class. Well I'm not going to fix or create the code for you but I will help illustrate :) First take your query string and explode it into an array so you'll get something like so $x = explode("[+n]", "UPDATE `users` SET `username` = [+n] WHERE `userid` = [+n]"); Will yield... Array ( [0] => UPDATE `users` SET `username` = [1] => WHERE `userid` = [2] => ) Then loop though your query parameters and add them to the end of said pieces, then combine the pieces and you'll have a query ready to submit to mySQL. :) Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 21, 2009 Author Share Posted January 21, 2009 Re: Help with DB Class. I see where your getting at. So said pieces will be: $x[0] .= $secure_code; $x[1] .= $blah; Some what like that? Quote Link to comment Share on other sites More sharing options...
codestryke Posted January 21, 2009 Share Posted January 21, 2009 Re: Help with DB Class. Yup :) Quote Link to comment Share on other sites More sharing options...
codestryke Posted January 21, 2009 Share Posted January 21, 2009 Re: Help with DB Class. Is it possible you're making a mountain out of a molehill? Sort of like you? You couldn't get INNODB installed on you machine so now there is only myISAM where you have to create some quasi transaction routines? But yea I guess your interpreted PHP code is way faster then the compiled c/c++ written INNODB. This is my favorite... Try using smarty ;) It has a great text replacement feature. http://www.smarty.net/ Use the smarty TEMPLATE engine to do text replacement on a query string LOL. So what create a template file for each sql command and run it though $smarty->fetch. Now that would be considered making a mountain. Quote Link to comment Share on other sites More sharing options...
Floydian Posted January 21, 2009 Share Posted January 21, 2009 Re: Help with DB Class. The %'s in a name like that wouldn't pose a problem with a simple = deal in a query. Where you can get into trouble is when you use like in the query. Naturally, one shouldn't be allowing anything but letters, numbers, underscores, and spaces in names IMHO. sprintf is not a means of securing anything. It is a function that formats a string. It's how you format a string that gives you security or weaknesses. It's that way with anything. Using encryption doesn't mean your data is secure if you leave the key in the open.... or use something simple like "key" for your key lol Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted January 22, 2009 Share Posted January 22, 2009 Re: Help with DB Class. lmao Codestryke! I noticed that reference to Smarty and had to reply. Floydian... Go on, please explain WHY smarty is ideal for this purpose. And Killah, just explain Why this is in the Pro PHP section when it really should be under the beginners section. Assuming you had actually read the f..ing manual you would have realized that parameter replacement is BUILT IN to the MySQL(i) extension libraries, and out-performs any PHP code you can produce. Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 22, 2009 Author Share Posted January 22, 2009 Re: Help with DB Class. Yeah.. explain why it should be in the beginer's section either? Quote Link to comment Share on other sites More sharing options...
POG1 Posted January 22, 2009 Share Posted January 22, 2009 Re: Help with DB Class. its only a class and therefore not "pro" Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 22, 2009 Author Share Posted January 22, 2009 Re: Help with DB Class. Yet none of the 'beginner's won't know how to fix it. Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted January 22, 2009 Share Posted January 22, 2009 Re: Help with DB Class. Yet none of the 'beginner's won't know how to fix it. Most of the beginners on here don't even know how to use mres correctly, how ever it's still classed as "begginers". Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 22, 2009 Author Share Posted January 22, 2009 Re: Help with DB Class. If you think they will tear apart my idea. Funny thing that with in my first post i solved some one's problem eh? Quote Link to comment Share on other sites More sharing options...
Floydian Posted January 22, 2009 Share Posted January 22, 2009 Re: Help with DB Class. Nyna, my reference to smarty was to illustrate the absurdity of what killah is trying to do by suggesting he do something even more absurd. Killah, we could tell you how to do what you're doing, but why would we tell you how to do something that is completely the wrong way to do it? If you want to do something as assinine as what you're doing when the ENTIRE CE COMMUNITY is telling you it's a bad idea, then figure it out yourself, or try smarty like I said. It does have fantastic text replacement features. ;) Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted January 22, 2009 Author Share Posted January 22, 2009 Re: Help with DB Class. Why need to use a different engine. I want mine, thing is you people do not understand that except for coderstryke. And i have managed to do what i want i have now fixed it to the way i want it. Thank's to the example coderstryke provided above. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.