Redroest Posted February 5, 2010 Share Posted February 5, 2010 Hey, I am trying to make an autosecurity for when a query is called. Normaly I used mysqli_escape_string($mysqli, $value); for example to secure data and prevent errors. Since I secure everything in my database I want to include this in my database class. I use the following code to extend the mysqli class, but there is still something wrong with the way on how I use parent::real_escape_string. I tried hundreds of different methods but I can't get it to work.//Security class class mysqliSecurity extends mysqli{ var $escape, $res; public function query($query) { $escape = parent::real_escape_string($query); $res = parent::query($escape); return $res; }} //Connect$mysqli = new mysqliSecurity($db['host'], $db['user'], $db['pass'], $db['dbname']);if(mysqli_connect_errno()){ trigger_error('Fout bij verbinding: '.$mysqliSecure->error);}//example query: (tested and works when using standard mysqli without extension) $sql = "SELECT * FROM table WHERE blaID='".$ID."'"; if(!$Result= $GLOBALS['mysqli']->query($sql)) { trigger_error('Fout in query: '.$GLOBALS['mysqli']->error); } else { while($results= $Result->fetch_assoc()) { echo $results['blablaName'].'<br />'; } } This will output an error:Notice: Fout in query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'xx\'' at line 1 in F:\Active\Core\main.php on line xxxThis means that it DOES escape, but sees it as an error? Link to comment Share on other sites More sharing options...
justsomeguy Posted February 5, 2010 Share Posted February 5, 2010 Print out the query and see what you're sending it. You're escaping the entire query, not just the field data.You can also use the prepare method to return a mysqli statement object, and then use the bind_param method of that object to add data to the query. bind_param will add quotes around a string if necessary and will also escape all of the data.http://www.php.net/manual/en/mysqli.prepare.php Link to comment Share on other sites More sharing options...
Redroest Posted February 5, 2010 Author Share Posted February 5, 2010 So this means that my public function query($query) has something like: "SELECT * FROM table WHERE blabla='blabla'" thats correct id because my output is something like \'\'.Is it wise to use preg_match() or explode() etc to (for example) cut the string into parts and then use that array to escape everything? and then put everything in (for example) bind_param method using foreach?Or am I talking crap right now?Can you give some kind of example on how you should secure it in a mysqli extends class? Link to comment Share on other sites More sharing options...
boen_robot Posted February 5, 2010 Share Posted February 5, 2010 Or am I talking crap right now?In short... yes.The best way is to not make people rely on pure SQL queries, but separate the query into "query and parameters", or construct the query in fragments. For example, look at Zend_Db_Statement or Zend_Db_Select respectively. Link to comment Share on other sites More sharing options...
Redroest Posted February 5, 2010 Author Share Posted February 5, 2010 Haha thanks I am going to dig into it, you guys will here from me when I get stuck again Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.