I am currently updating a section of code that uses mysql currently the escape string is structured like this: $product_name = mysql_real_escape_string(trim($_POST['product_name'])); and works fine.
My issue is when I change the above string to $product_name = mysqli_real_escape_string($database, (trim($_POST['product_name']))); and declare the following: $database = $this->load->database(); above it I get the error that its NULL
How do I escape a string with CI?
CodeIgniter user manual wrote the following.
Beyond simplicity, a major benefit to using the Active Record features is that it allows you >to create database independent applications, since the query syntax is generated by each >database adapter. It also allows for safer queries, since the values are escaped >automatically by the system.
You can use Input class in your controller.
$this->load->model('mymodel');
$something = $this->input->post('something');
$results = $this->mymodel->mymethod($something);
In your model
$this->db->insert('mytable', $data);
You use
$this->db->query("select ?",array("value"));
Where each ? In thee select is the variable you want escaped
Related
Hi when ever I want to insert a comment into my database, I sanitize the data by using Mysql Escape String function this however inserts the following verbatim in field. I print the comment and it works fine and show me the text however when ever I sanitize it, it literally inserts the following into my db
mysql_real_escape_string(Comment)
This is my insert statement, The Id inserts correctly however the comment doesn't it just inserts the "mysql_real_escape_string(Comment)" into the field. what can be wrong?
foreach($html->find("div[class=comment]") as $content){
$comment = $content->plaintext;
$username = mysql_real_escape_string($comment);
$querytwo = "insert into Tchild(Tid,Tcomment)values('$id','$username')";
$resulttwo = $db -> Execute($querytwo);
}
If I'm reading the documentation correctly, you should make the call like this:
$db->Execute("insert into Tchild(Tid,Tcomment)values(?, ?)", array($id, $username));
That will account for proper escaping. Having unescaped values in your query string is dangerous and should be avoided whenever possible. As your database layer has support for SQL placeholders like ? you should make full use of those any time you're placing data in your query.
A call to mysql_real_escape_string will not work unless you're using mysql_query. It needs a connection to a MySQL database to function properly.
Since you're using ADODB, what you want is probably $db->qstr(). For example:
$username = $db->qstr($comment, get_magic_quotes_gpc());
See this page for more information: http://phplens.com/lens/adodb/docs-adodb.htm
I have the following query
$query="DELETE FROM salesinvoiceitems WHERE invoiceNumber=".$this->put('invoiceNumber');
Here $this->put('invoiceNumber'); always have values like "M\34\SD". Due to slashes in values it doesn't work as expected.
I researched and found the mysql_escape_string can be used for this purpose but its deprecated now as per the manual. So whats my best bet here?
Why not use Codeingiter Active Record instead? An example:
$this->db->where('invoiceNumber', $this->put('invoiceNumber'));
$this->db->delete('salesinvoiceitems');
Taken from Codeigniter documentation:
Beyond simplicity, a major benefit to using the Active Record features
is that it allows you to create database independent applications,
since the query syntax is generated by each database adapter. It also
allows for safer queries, since the values are escaped automatically
by the system.
There's a method in the activerecord called escape, so you should :
$invoice = $this->db->escape($yourVar);
$query = "DELETE FROM salesinvoiceitems WHERE invoiceNumber=$invoice";
Which will protect against sql injection as it escapes the var.
Try this
$query="DELETE FROM salesinvoiceitems WHERE invoiceNumber=".addslashes($this->put('invoiceNumber'));
Try strip slashes
$query="DELETE FROM salesinvoiceitems WHERE invoiceNumber='".($this->put('invoiceNumber')). "'";
I have the following line of code :
mysql_query("SELECT name FROM details WHERE md5(name) = '".md5($input_name)."'");
This query works just fine , however , when i change the query to the following :
mysql_query("SELECT name FROM details WHERE salt(name) = '".salt($input_name)."'");
The query doesn't seem to work.
The salt function is as follows :
function salt ($name) {
global $salt;
return $salt.$name;
}
where $salt is a global variable ( an md5 hash)
Why doesn't the second query work ?
MySQL has no access to functions you define in PHP. You can only use functions that MySQL defines in a MySQL query, or functions that you have written in SQL. You'll have to rethink what you're doing and express it in a way that does not require MySQL to use PHP functions.
Functions in PHP and functions in MySQL is two seperate things.
When sending MySQL queries, MySQL will be responsible for parsing the string you are sending. And MySQL doesn't know of any of the PHP code you made - and vice versa.
Wouldnt this be easily done by:
$saltinput = salt($input_name)
mysql_query("SELECT name FROM details WHERE salt(name) = '$salitinput'");
I have been trying to figure this out, but google wasn't turning up any real answers to my question.
I am using PHP (with CodeIgniter) and MySQL, is there a way that I can use bind variables with my SQL Statements?
Well, with CI you can:
$sql = "SELECT * FROM table WHERE name = ? AND email = ?";
$query = $this->db->query($sql, array($name,$email));
return $query->row_array();
This binds the $name and $email variable to th respective positions inside the query string. Is this what you mean?
There's also Active Record (a custom ORM, or sortof), which is pretty nice.
All of the above automatically escape values. You can also escape manually with $this->db->escape($string) and, for column names, with $this->db->protect_identifier($column_name). But it's all in the manual, have a read at it.
You can use PDOStatement::bindParam(), which may be significantly faster than CIs functions, depending on the use case.
I am developing a web application using zend framework. For select statements I have used following way.
Ex:
public function getData($name)
{
$sql = "SELECT * from customer where Customer_Name = '$name'";
return $this->objDB->getAdapter()->fetchAll ($sql);
}
This works fine. But If I send customer name as : colvin's place,
The query fail. And I know it's because of the single quote.
Earlier I used addslashes PHP function. But I saw it is not a good way to do this. This time I used mysql_real_escape_string PHP function.
The issue is it says following warning.
Warning</b>: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: Access denied for user 'ODBC'#'localhost' (using password: NO)
This is because of the mysql_real_escape_string function needs a connection to the database opened by mysql_connect. My question is how can I use this with *Zend_DB* classes. I need to use custom select queries always. Appreciate your other suggestions if available.
Thank you
You can use the quote() function provided by Zend_Db:
http://framework.zend.com/manual/en/zend.db.adapter.html#zend.db.adapter.quoting.quote
You could use parameter binding as well, then the method will look like:
public function getData($name)
{
$sql = "SELECT * from customer where Customer_Name = :name";
return $this->objDB->getAdapter()->fetchAll ($sql, ['name' => $name]);
}
Then your data will be escaped automatically
I had this problem, I used this way and is working correctly:
You can use quote():
The quote() method accepts a single argument, a scalar string value. It returns the value with special characters escaped in a manner appropriate for the RDBMS you are using, and surrounded by string value delimiters. The standard SQL string value delimiter is the single-quote (').
But quote returns a string with 'string' (return it inside quotation), for example I get an string from user from a input-text box (or by URL in GET method)
$string = $this->parameters['string']; // This is like $_POST or $_GET
$string = $this->db->quote($string);
$string = substr($string, 1, strlen($string)-2);
//The above line will remove quotes from start and end of string, you can skip it
Now we can use this $string, and it is like what mysql_real_escape_string returns
I had the same problem and this solution works fine for me. I hope this will help.
you can do something like this:
$quote_removed_name = str_replace("'","''",$name);
then write your query this way:
$sql = "SELECT * from customer where Customer_Name = '$quote_removed_name'";