Jump to content

Mysqli Extends


Redroest
 Share

Recommended Posts

Hey, I am trying to make an autosecurity for when a query is called. Normaly I used mysqli_escape_string($mysqli, $value); for example to secure data and prevent errors. Since I secure everything in my database I want to include this in my database class. I use the following code to extend the mysqli class, but there is still something wrong with the way on how I use parent::real_escape_string. I tried hundreds of different methods but I can't get it to work.//Security class

class mysqliSecurity extends mysqli{  var $escape, $res;  public function query($query)   {	  $escape = parent::real_escape_string($query);		$res  = parent::query($escape);	   	return $res;  }} //Connect$mysqli = new mysqliSecurity($db['host'], $db['user'], $db['pass'], $db['dbname']);if(mysqli_connect_errno()){  trigger_error('Fout bij verbinding: '.$mysqliSecure->error);}//example query: (tested and works when using standard mysqli without extension)  $sql = "SELECT * FROM table WHERE blaID='".$ID."'";  if(!$Result= $GLOBALS['mysqli']->query($sql))  {	trigger_error('Fout in query: '.$GLOBALS['mysqli']->error);  }  else  {	while($results= $Result->fetch_assoc())	{		   echo $results['blablaName'].'<br />';	}  }

This will output an error:Notice: Fout in query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'xx\'' at line 1 in F:\Active\Core\main.php on line xxxThis means that it DOES escape, but sees it as an error?

Edited by Redroest
Link to comment
Share on other sites

Print out the query and see what you're sending it. You're escaping the entire query, not just the field data.You can also use the prepare method to return a mysqli statement object, and then use the bind_param method of that object to add data to the query. bind_param will add quotes around a string if necessary and will also escape all of the data.http://www.php.net/manual/en/mysqli.prepare.php

Link to comment
Share on other sites

So this means that my public function query($query) has something like: "SELECT * FROM table WHERE blabla='blabla'" thats correct id because my output is something like \'\'.Is it wise to use preg_match() or explode() etc to (for example) cut the string into parts and then use that array to escape everything? and then put everything in (for example) bind_param method using foreach?Or am I talking crap right now?Can you give some kind of example on how you should secure it in a mysqli extends class?

Edited by Redroest
Link to comment
Share on other sites

Or am I talking crap right now?
In short... yes.The best way is to not make people rely on pure SQL queries, but separate the query into "query and parameters", or construct the query in fragments. For example, look at Zend_Db_Statement or Zend_Db_Select respectively.
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...