[PHP] OO woes
PHP version 5.0.0RC3 (cgi) (built: Jul 9 2004 13:18:24)
I'm just getting my feet wet with OO and have run into a problem that I'm
not familiar with...yet.
I have a class that does a database connection and query all together. It
all works nicely untiluntil my query has a word with quotes around it.
I've tried addslashes and mysql_escape_string but when I do I get a Fatal
Error. It occurs in the execute($query) function down below.
I'm also using the recommended php.ini file...magic quotes off and all.
*
class DB_Mysql {
protected $user; // Database username
protected $pass; // Database password
protected $dbhost;// Database host
protected $dbname;// Database name
protected $dbh; // Database handle
public function __construct($user, $pass, $dbhost, $dbname) {
$this-user = $user;
$this-pass = $pass;
$this-dbhost = $dbhost;
$this-dbname = $dbname;
}
protected function connect() {
$this-dbh = mysql_connect($this-dbhost, $this-user, $this-pass);
if (!is_resource($this-dbh)) {
throw new Exception;
}
if (!mysql_select_db($this-dbname, $this-dbh)) {
throw new Exception;
}
}
public function execute($query) {
if (!$this-dbh) {
$this-connect();
}
// My $query has quotes in it
// I try to escape the quotes
$query = mysql_escape_string($query);
// It causes an error
$ret = mysql_query($query, $this-dbh);
if (!$ret) {
// An Exception error is thrown
throw new Exception;
} elseif (!is_resource($ret)) {
return TRUE;
} else {
$statment = new DB_MysqlStatement($this-dbh, $query);
return $statement;
}
}
}
*
My query statement is:
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
I call the class as follows:
$dbh = new DB_Mysql(user,passwd,localhost,test);
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
$dbh-execute($query);
If the $_POST variable does not contain any quotes, the class works
perfectly. But whenever quotes are passed through, I get the following
error:
Fatal error: Uncaught exception 'Exception' in
/www/htdocs/classes/db_class.php:53 Stack trace: #0
/www/htdocs/letter.php(51): DB_Mysql-execute('INSERT into aeM...') #1
{main} thrown in /www/htdocs/classes/db_class.php on line 53
--Matthew Sims
--http://killermookie.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] OO woes
Hi,
Doesn't sound like an OO issue, sounds like you're kiling the query
with the '. You should go thru and maybe do an str_replace( ', \',
$_POST['test'] ) on all your post variables.
-Dan Joseph
-Original Message-
From: Matthew Sims [mailto:[EMAIL PROTECTED]
Sent: Monday, July 12, 2004 4:08 PM
To: [EMAIL PROTECTED]
Subject: [PHP] OO woes
Importance: High
PHP version 5.0.0RC3 (cgi) (built: Jul 9 2004 13:18:24)
I'm just getting my feet wet with OO and have run into a
problem that I'm not familiar with...yet.
I have a class that does a database connection and query all
together. It all works nicely untiluntil my query has a
word with quotes around it.
I've tried addslashes and mysql_escape_string but when I do I
get a Fatal Error. It occurs in the execute($query) function
down below.
I'm also using the recommended php.ini file...magic quotes
off and all.
*
class DB_Mysql {
protected $user; // Database username
protected $pass; // Database password
protected $dbhost;// Database host
protected $dbname;// Database name
protected $dbh; // Database handle
public function __construct($user, $pass, $dbhost, $dbname) {
$this-user = $user;
$this-pass = $pass;
$this-dbhost = $dbhost;
$this-dbname = $dbname;
}
protected function connect() {
$this-dbh = mysql_connect($this-dbhost,
$this-user, $this-pass);
if (!is_resource($this-dbh)) {
throw new Exception;
}
if (!mysql_select_db($this-dbname, $this-dbh)) {
throw new Exception;
}
}
public function execute($query) {
if (!$this-dbh) {
$this-connect();
}
// My $query has quotes in it
// I try to escape the quotes
$query = mysql_escape_string($query);
// It causes an error
$ret = mysql_query($query, $this-dbh);
if (!$ret) {
// An Exception error is thrown
throw new Exception;
} elseif (!is_resource($ret)) {
return TRUE;
} else {
$statment = new DB_MysqlStatement($this-dbh, $query);
return $statement;
}
}
}
*
My query statement is:
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
I call the class as follows:
$dbh = new DB_Mysql(user,passwd,localhost,test);
$query = 'INSERT into aeMail set
test=\''.$_POST[test].'\''; $dbh-execute($query);
If the $_POST variable does not contain any quotes, the class
works perfectly. But whenever quotes are passed through, I
get the following
error:
Fatal error: Uncaught exception 'Exception' in
/www/htdocs/classes/db_class.php:53 Stack trace: #0
/www/htdocs/letter.php(51): DB_Mysql-execute('INSERT into
aeM...') #1 {main} thrown in /www/htdocs/classes/db_class.php
on line 53
--Matthew Sims
--http://killermookie.org
--
PHP General Mailing List (http://www.php.net/) To
unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] OO woes
Hi,
Doesn't sound like an OO issue, sounds like you're kiling the query
with the '. You should go thru and maybe do an str_replace( ', \',
$_POST['test'] ) on all your post variables.
-Dan Joseph
Ha! That did it. Thanks!
--Matthew Sims
--http://killermookie.org
-Original Message-
From: Matthew Sims [mailto:[EMAIL PROTECTED]
Sent: Monday, July 12, 2004 4:08 PM
To: [EMAIL PROTECTED]
Subject: [PHP] OO woes
Importance: High
PHP version 5.0.0RC3 (cgi) (built: Jul 9 2004 13:18:24)
I'm just getting my feet wet with OO and have run into a
problem that I'm not familiar with...yet.
I have a class that does a database connection and query all
together. It all works nicely untiluntil my query has a
word with quotes around it.
I've tried addslashes and mysql_escape_string but when I do I
get a Fatal Error. It occurs in the execute($query) function
down below.
I'm also using the recommended php.ini file...magic quotes
off and all.
*
class DB_Mysql {
protected $user; // Database username
protected $pass; // Database password
protected $dbhost;// Database host
protected $dbname;// Database name
protected $dbh; // Database handle
public function __construct($user, $pass, $dbhost, $dbname) {
$this-user = $user;
$this-pass = $pass;
$this-dbhost = $dbhost;
$this-dbname = $dbname;
}
protected function connect() {
$this-dbh = mysql_connect($this-dbhost,
$this-user, $this-pass);
if (!is_resource($this-dbh)) {
throw new Exception;
}
if (!mysql_select_db($this-dbname, $this-dbh)) {
throw new Exception;
}
}
public function execute($query) {
if (!$this-dbh) {
$this-connect();
}
// My $query has quotes in it
// I try to escape the quotes
$query = mysql_escape_string($query);
// It causes an error
$ret = mysql_query($query, $this-dbh);
if (!$ret) {
// An Exception error is thrown
throw new Exception;
} elseif (!is_resource($ret)) {
return TRUE;
} else {
$statment = new DB_MysqlStatement($this-dbh, $query);
return $statement;
}
}
}
*
My query statement is:
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
I call the class as follows:
$dbh = new DB_Mysql(user,passwd,localhost,test);
$query = 'INSERT into aeMail set
test=\''.$_POST[test].'\''; $dbh-execute($query);
If the $_POST variable does not contain any quotes, the class
works perfectly. But whenever quotes are passed through, I
get the following
error:
Fatal error: Uncaught exception 'Exception' in
/www/htdocs/classes/db_class.php:53 Stack trace: #0
/www/htdocs/letter.php(51): DB_Mysql-execute('INSERT into
aeM...') #1 {main} thrown in /www/htdocs/classes/db_class.php
on line 53
--Matthew Sims
--http://killermookie.org
--
PHP General Mailing List (http://www.php.net/) To
unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] OO woes
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
Your quotes look screwy to me. You seem to be missing both trailing single
quotes.
try this:
$query = 'INSERT into aeMail set test=\'''.$_POST[test].'\''';
At 01:07 PM 7/12/2004, Matthew Sims wrote:
PHP version 5.0.0RC3 (cgi) (built: Jul 9 2004 13:18:24)
I'm just getting my feet wet with OO and have run into a problem that I'm
not familiar with...yet.
I have a class that does a database connection and query all together. It
all works nicely untiluntil my query has a word with quotes around it.
I've tried addslashes and mysql_escape_string but when I do I get a Fatal
Error. It occurs in the execute($query) function down below.
I'm also using the recommended php.ini file...magic quotes off and all.
*
class DB_Mysql {
protected $user; // Database username
protected $pass; // Database password
protected $dbhost;// Database host
protected $dbname;// Database name
protected $dbh; // Database handle
public function __construct($user, $pass, $dbhost, $dbname) {
$this-user = $user;
$this-pass = $pass;
$this-dbhost = $dbhost;
$this-dbname = $dbname;
}
protected function connect() {
$this-dbh = mysql_connect($this-dbhost, $this-user, $this-pass);
if (!is_resource($this-dbh)) {
throw new Exception;
}
if (!mysql_select_db($this-dbname, $this-dbh)) {
throw new Exception;
}
}
public function execute($query) {
if (!$this-dbh) {
$this-connect();
}
// My $query has quotes in it
// I try to escape the quotes
$query = mysql_escape_string($query);
// It causes an error
$ret = mysql_query($query, $this-dbh);
if (!$ret) {
// An Exception error is thrown
throw new Exception;
} elseif (!is_resource($ret)) {
return TRUE;
} else {
$statment = new DB_MysqlStatement($this-dbh, $query);
return $statement;
}
}
}
*
My query statement is:
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
I call the class as follows:
$dbh = new DB_Mysql(user,passwd,localhost,test);
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
$dbh-execute($query);
If the $_POST variable does not contain any quotes, the class works
perfectly. But whenever quotes are passed through, I get the following
error:
Fatal error: Uncaught exception 'Exception' in
/www/htdocs/classes/db_class.php:53 Stack trace: #0
/www/htdocs/letter.php(51): DB_Mysql-execute('INSERT into aeM...') #1
{main} thrown in /www/htdocs/classes/db_class.php on line 53
--Matthew Sims
--http://killermookie.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] OO woes
Your problem has nothing to do with the Objects (or really even PHP for
that matter). You're not supposed to run mysql_escape_string on an
entire query. Here's an example of its usage:
$sString = This string contains a single-quote (');
$sQuery = INSERT INTO mytable SET
mystrcolumn='{$sString}',mynumbercolumn=24;
INSERT INTO mytable SET mystrcolumn='This string contains a
single-quote (')',mynumbercolumn=24 == $sQuery; // This just shows
what's in $sQuery
If you were to run $sQuery as it is, it would not parse because the
single-quote in $sString would indicate the end of that string, and the
characters following it aren't valid SQL.
But, if you were to use mysql_escape_string on $sString, before putting
it in the query, everything would work out fine.
$sString = This string contains a single-quote (');
$sString = mysql_escape_string($sString);
$sQuery = INSERT INTO mytable SET
mystrcolumn='{$sString}',mynumbercolumn=24;
INSERT INTO mytable SET mystrcolumn='This string contains a
single-quote (\')',mynumbercolumn=24 == $sQuery; // This just shows
what's in $sQuery
Now the single-quote in $sString has been escaped, and MySQL doesn't see
it as the string delimiter.
On a side note, mysql_real_escape_string would probably be prefferable,
as it takes into accoutnt he character set of the current connection.
Chris
Matthew Sims wrote:
PHP version 5.0.0RC3 (cgi) (built: Jul 9 2004 13:18:24)
I'm just getting my feet wet with OO and have run into a problem that I'm
not familiar with...yet.
I have a class that does a database connection and query all together. It
all works nicely untiluntil my query has a word with quotes around it.
I've tried addslashes and mysql_escape_string but when I do I get a Fatal
Error. It occurs in the execute($query) function down below.
I'm also using the recommended php.ini file...magic quotes off and all.
*
class DB_Mysql {
protected $user; // Database username
protected $pass; // Database password
protected $dbhost;// Database host
protected $dbname;// Database name
protected $dbh; // Database handle
public function __construct($user, $pass, $dbhost, $dbname) {
$this-user = $user;
$this-pass = $pass;
$this-dbhost = $dbhost;
$this-dbname = $dbname;
}
protected function connect() {
$this-dbh = mysql_connect($this-dbhost, $this-user, $this-pass);
if (!is_resource($this-dbh)) {
throw new Exception;
}
if (!mysql_select_db($this-dbname, $this-dbh)) {
throw new Exception;
}
}
public function execute($query) {
if (!$this-dbh) {
$this-connect();
}
// My $query has quotes in it
// I try to escape the quotes
$query = mysql_escape_string($query);
// It causes an error
$ret = mysql_query($query, $this-dbh);
if (!$ret) {
// An Exception error is thrown
throw new Exception;
} elseif (!is_resource($ret)) {
return TRUE;
} else {
$statment = new DB_MysqlStatement($this-dbh, $query);
return $statement;
}
}
}
*
My query statement is:
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
I call the class as follows:
$dbh = new DB_Mysql(user,passwd,localhost,test);
$query = 'INSERT into aeMail set test=\''.$_POST[test].'\'';
$dbh-execute($query);
If the $_POST variable does not contain any quotes, the class works
perfectly. But whenever quotes are passed through, I get the following
error:
Fatal error: Uncaught exception 'Exception' in
/www/htdocs/classes/db_class.php:53 Stack trace: #0
/www/htdocs/letter.php(51): DB_Mysql-execute('INSERT into aeM...') #1
{main} thrown in /www/htdocs/classes/db_class.php on line 53
--Matthew Sims
--http://killermookie.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] OO woes
Your problem has nothing to do with the Objects (or really even PHP for that matter). You're not supposed to run mysql_escape_string on an entire query. Yup, you are correct, my bad. So I ran my $_POST array into array_map before the injection: $_POST = array_map(mysql_escape_string,$_POST); And it all worked on nicely. --Matthew Sims --http://killermookie.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] OO woes
Matthew Sims wrote: Your problem has nothing to do with the Objects (or really even PHP for that matter). You're not supposed to run mysql_escape_string on an entire query. So I ran my $_POST array into array_map before the injection: $_POST = array_map(mysql_escape_string,$_POST); And it all worked on nicely. That's a waste of resources when you're only using one value out of $_POST in your query. Why not just turn on magic_quotes_gpc and have the same effect? I'd recommend some actual validation methods in your class. Something to ensure $_POST'd values are really integers within a range, strings of a certain length, etc and prepare them for insertion into a query. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
