[PHP] OO woes

Mon, 12 Jul 2004 13:15:39 -0700 

PHP version 5.0.0RC3 (cgi) (built: Jul  9 2004 13:18:24)

I'm just getting my feet wet with OO and have run into a problem that I'm
not familiar with...yet.

I have a class that does a database connection and query all together. It
all works nicely until....until my query has a word with quotes around it.

I've tried addslashes and mysql_escape_string but when I do I get a Fatal
Error. It occurs in the execute($query) function down below.

I'm also using the recommended php.ini file...magic quotes off and all.

*****************************************
class DB_Mysql {

  protected $user;      // Database username
  protected $pass;      // Database password
  protected $dbhost;    // Database host
  protected $dbname;    // Database name
  protected $dbh;       // Database handle

  public function __construct($user, $pass, $dbhost, $dbname) {
        $this->user = $user;
        $this->pass = $pass;
        $this->dbhost = $dbhost;
        $this->dbname = $dbname;
  }

  protected function connect() {
        $this->dbh = mysql_connect($this->dbhost, $this->user, $this->pass);

        if (!is_resource($this->dbh)) {
          throw new Exception;
        }

        if (!mysql_select_db($this->dbname, $this->dbh)) {
          throw new Exception;
        }
  }

  public function execute($query) {
        if (!$this->dbh) {
          $this->connect();
        }

        // My $query has quotes in it
        // I try to escape the quotes
        $query = mysql_escape_string($query);
        // It causes an error
        $ret = mysql_query($query, $this->dbh);

        if (!$ret) {
          // An Exception error is thrown
          throw new Exception;
        } elseif (!is_resource($ret)) {
          return TRUE;
        } else {
          $statment = new DB_MysqlStatement($this->dbh, $query);
          return $statement;
        }
  }
}
*****************************************

My query statement is:
$query = 'INSERT into aeMail set test=\''.$_POST["test"].'\'';

I call the class as follows:
$dbh = new DB_Mysql("user","passwd","localhost","test");
$query = 'INSERT into aeMail set test=\''.$_POST["test"].'\'';
$dbh->execute($query);

If the $_POST variable does not contain any quotes, the class works
perfectly. But whenever quotes are passed through, I get the following
error:

Fatal error: Uncaught exception 'Exception' in
/www/htdocs/classes/db_class.php:53 Stack trace: #0
/www/htdocs/letter.php(51): DB_Mysql->execute('INSERT into aeM...') #1
{main} thrown in /www/htdocs/classes/db_class.php on line 53

--Matthew Sims
--<http://killermookie.org>



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to