Method 1
global $database;
$user = new stdClass;
$user->id = NULL;
$user->name = $name;
$user->username = $username;
if (!$database->insertObject( '#__users', $user, 'id' )) {
echo $database->stderr();
return false;
}
return $user->id;
Method 2
$db = JFactory::getDBO();
$query = $db->getQuery(true);
$query->insert($db->nameQuote('#__users'));
$query->set($db->nameQuote('name').'='.$db->quote($$name).','.
$db->nameQuote('username').'='.$db->quote($username));
$db->setQuery( $query );
$db->query();
$new_id = $db->insertId();
I'm using Joomla and use both above queries which lets me the get the work done. My problem is what is the difference between method 1 and method 2? What's the industry standard? Are there any specific situation I should use above methods? Which one is better and why?
Thanks
Method 1 (M1) and Method 2 (M2) are both valid Joomla! 2.5 mechanisms, M1 uses a semi automated method and is probably more commonly used where you are already working with objects.
M2 is obviously a more specific set of steps but both will work the abstraction provided by JDatabase et. al. to isolate you from the database server.
Having said that M1 is only used in a few places (literally) in the entire Joomla! 2.5 installation (not counting /libararies/joomla/database/) while M2 is used extensively
The only odd thing is the use of a global in M1, normally Joomla! coding standards eschew the use of globals preferring rather to use OOP or factory patterns instead. So, something like this:
$database = JFactory::getDBO();
instead of using the global reference.
Related
I'm working to create a function that call a field in joomla database.
Is that a good usage to prevent sql injection?
// Get std objects
if (strlen($urlparams)<5) {
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select('params');
$query->from($db->quoteName('#__template_styles'));
$query->where($db->quoteName('id')." = ".$db->quote($urlparams));
$db->setQuery($query);
$row = $db->loadResult();
}
else {
echo 'Something is going worng.';
}
Thank you and best regards.
You current method is perfectly fine as it uses the most up to date Joomla coding standards.
The only thing I would do it use quoteName() in your select clause which is used to escape field names. So you would end up with the following:
$query->select($db->quoteName('params'));
If you are ever in doubt, have a look at Joomla's:
Secure Coding Guidelines and
Documentation for Accessing the Database
I start a new slim project with twig support, I want to use PDO as database layer, what is the way to integrate? or just use GLOBAL $db?
Thanks.
i'm against mutable globals. you could use a simple factory method returning your connection:
function db() {
static $db = null;
if (null === $db)
$db = new PDO(...);
return $db;
}
if you're about to deal with more of such problems, consider a registry (see this one).
Regarding mutable globals:
I'm against such things because, well, they are easy to be mutated.
What happens if, during the flow of a program, circumstances change unexpectedly?
Things break.
If you're the only one working on the project, globals might be ok.
But from my experience, even in this scenario, keeping track of global variables becomes a hassle and offends logical organisation of your code.
What if you come to the point of sharing your code with other who will overwrite such global?
Also, globals contradict the methodology of data encapsulation in the context of seperation of concerns.
All this plays into the big, wide science of software architecture.
Additionally, using a factory in this specific case ensures that you only keep one single reference to the connection to your database.
Look this project: Slim-PDO (github)
Documentation is here
Install via composer: $ composer require slim/pdo
Simple usage:
$app->container->singleton('database', function () use ($app) {
return new \Slim\PDO\Database($app->config('db.dsn'), $app->config('db.usr'), $app->config('db.pwd'));
});
// SELECT * FROM users WHERE id = ?
$selectStatement = $app->database->select()
->from('users')
->where('id', '=', 1234);
$stmt = $selectStatement->execute();
$data = $stmt->fetch();
// INSERT INTO users ( id , usr , pwd ) VALUES ( ? , ? , ? )
$insertStatement = $app->database->insert(array('id', 'usr', 'pwd'))
->into('users')
->values(array(1234, 'your_username', 'your_password'));
$insertId = $insertStatement->execute(false);
So I've been following this tutorial on JPagination and on the section about with JDatabase it has a variable $option on line 2 "$option.limit". (It hasn't been referenced anywhere else on the page, I'm unsure on where this value is being declared/initialized).
$db =& JFactory::getDBO();
$lim = $mainframe->getUserStateFromRequest("$option.limit", 'limit', 14, 'int'); //I guess getUserStateFromRequest is for session or different reasons
$lim0 = JRequest::getVar('limitstart', 0, '', 'int');
$db->setQuery('SELECT SQL_CALC_FOUND_ROWS x, y, z FROM jos_content WHERE x',$lim0, $lim);
$rL=&$db->loadAssocList();
if (empty($rL)) {$jAp->enqueueMessage($db->getErrorMsg(),'error'); return;}
else {
////Here the beauty starts
$db->setQuery('SELECT FOUND_ROWS();'); //no reloading the query! Just asking for total without limit
jimport('joomla.html.pagination');
$pageNav = new JPagination( $db->loadResult(), $lim0, $lim );
foreach($rL as $r) {
//your display code here
}
echo $pageNav->getListFooter( ); //Displays a nice footer
I've had a look around joomla docs on pages such as this to see if the $option variable is relevant to the limitBox, because the limitbox is what is setting the amount things to be displayed. But I haven't had much luck.
Therefore I'm wondering how are you meant to obtain the information from the variable $option and/or the current selection from the LimitBox in JPagination.
Pastebin link to my implementation [expires in 24 hours]
The article is out of date in a few ways, it was originally written for J1.5 and assumes a lot of knowledge about the inner workings. I wouldn't recommend it for J2.5.
Pagination is mostly automatic today if you're following the J2.5 MVC and using it's built-in (for the most) part user state mechanism. To start with, in J2.5 your model should should be extending JModelList if you're displaying a list of content items. JModelList extends JModel by adding useful features for dealing with lists.
One of these features is the populateState() method, in it's base state it will look after your list limits for you if you're using a <select> named limit. It does this by managing the base userState for you, I would recommend reading through /administrator/com_contact and /libraries/joomla/application/component/modellist.php (Joomla API JModelList).
populateState() is used to help the model keep track of basics for your component in a semi-automatic way. In addition to list limits, it will also track the search field and the sort column & it's direction. If you extension needs to track other user states or override settings you can create a populateState() in your model file - just remember to call the parent before hand so you still get the built-in benefits. e.g.
protected function populateState()
{
parent::populateState();
$app = JFactory::getApplication('site');
/* Do some groovy stuff here
* like adding our own form variables to the state to use later
*/
$srid = $this->getUserStateFromRequest($this->context.'.project.srid','srid');
$this->setState('project.srid', $srid);
}
For user state you can read more in this article (which also covers Pagination briefly) "How to use user state variables"
I'm currently creating a simple CMS for my small website in PHP5. This is my first 'larger' project in PHP. First I'm creating the needed classes that would simplify me the work a little bit, and there I'm stuck. I need your opinions about the following function inside my UserInfo class:
public function setUser($id) {
if(!isset($id)) {
return false;
}
session_start();
$conn = new mysql($_SESSION['DBCONNINFO']);
$sql = "SELECT
usr.ID,
usr.USERNAME as TUSERNAME,
usr.FIRST_NAME,
usr.LAST_NAME,
usr.PHONE,
usr.MOBILE,
usr.EMAIL,
usr.ADDITIONAL_INFO,
usr.LAST_LOGIN_DATE,
usr.USER_GROUP_ID
FROM cms_users usr
WHERE usr.id = " . $id;
$result = $conn->query_cust($sql);
$conn=null;
foreach ($result as $row) {
$this->id = $row['usr']['ID'];
$this->username = $row['usr']['TUSERNAME'];
$this->firstname = $row['usr']['FIRST_NAME'];
$this->lastname = $row['usr']['LAST_NAME'];
$this->phone = $row['usr']['PHONE'];
$this->mobile = $row['usr']['MOBILE'];
$this->email = $row['usr']['EMAIL'];
$this->additional_info = $row['usr']['ADDITIONAL_INFO'];
$this->last_login_date = $row['usr']['LAST_LOGIN_DATE'];
$this->user_group = $row['usr']['USER_GROUP_ID'];
}
return true;
}
Am I doing it the right way, I'm not talking about the syntax, for now I focus on the class structure, design and best practices - any opinion would be appreciated.
Could I call the session_start(), for example, in the class constructor and use the vars inside it without calling it each time in a function !?
Should I close the DB connection via the close() function or is $conn=null acceptable !?
Is it a bad practice to store the database information in the session class !? If yes, where to store it as a 'global' variable - $_GLOBAL !?
If there is a 'PHP bes practice class structures in 5 minutes for dummies' please notify me :)
Thanks in advance.
Use define to define all of your constants.
For example:
define('DBCONNINFO', "something");
Also you only have to call session_start() once, it can be done anywhere in your script.
It doesn't make a lot of sense to fetch the data from the database for every request if you're using sessions anyway. In which case, why is session_start() being called inside the setUser() method?
And we can't really comment on the class structure when you've only provided a single method.
Also, since the representation of data leaving PHP should be appropriate to the substrate where that data is going (to prevent SQL injection, email header injection, CSS....) then it's good practice to defer changes to the representation of the data until just before the point where it leaves PHP. e.g.
$sql = "SELECT
....
WHERE usr.id = " . mysql_real_escape_string($id);
(or use bound parameters)
However since users are usually identify themselves by their username rather than their userid, it rather implies that $id came from somewhere other than user supplied data - in which case where? And why are you using this as the identifier when you've already got an identifier for the session (which is where this data should be getting stored).
Or do you want to use this class for processing data relating to users other than the user of the current session - in which case there is no way that there should be a session_start() in there.
Sorry - but this is not well thought out code and not a well presented question.
BTW, setting the connection to null does not close the database connection.
I would like to get the exact SQL INSERT query that Doctrine generates when an object's save() method is called.
Preferably, I would like to get it in the postSave() event of the model and log it in a txt file.
For instance:
<?php
$user = new User(); // A Doctrine Model with timestampable behavior enabled
$user->first_name = 'Manny';
$user->last_name = 'Calavera';
$user->save();
?>
I want to get/log the following SQL query:
INSERT INTO user (first_name, last_name, created_at, updated_at) VALUES ('Manny', 'Calavera', '2010-08-03 12:00:00', '2010-08-03 12:00:00');
The background for needing this, is that I wish to mass-import later the data by parsing the txt file.
I don't think there is any easy way to do this since the behaviour of save() varies depending on a few different things (if you're inserting/updating).
If you had created a doctrine query object, then you can call the getSqlQuery() method like this:
$q = Doctrine_Query::create()
->select('u.id')
->from('User u');
echo $q->getSqlQuery();
but the save() is a method, not an object so this won't work. I think you'll have to hack in some code to detect whether you're inserting or updating and build a query to log on the fly and then use save().
I know this suggestion is not ideal because it is not logging 'exactly' what save() is doing but for the purposes you stated it should still work just as well.
Why don't you try to see how the symfony developers do it? Check their WebDebug Toolbar for Doctrine here. The WebDebug Toolbar outputs all query that you do on a page.
There's a hook on DoctrineEvent, and I think you can modify the code to do what you want. Check the getDoctrineEvents and getSqlLogs method.
Hope this helps. If you need further explanation, please write it in comment, I'll try my best to explain.
Take a look here: http://www.phpandstuff.com/articles/codeigniter-doctrine-scratch-day-8-hooks-profiling-dql and go to the section headed Profiling with Doctrine and Creating a Profiler Hook. Altough this is for the use with the CodeIgniter framework, it can be easy adopted to your own environment since the code has no dependencies to the framework.
You basically want to set up a Connection Profiler and let it write all queries to a file. I suggest appending all queries to the file to have a better "log"-like feeling. Don't get confused by many framework talk inside the articles. The examples work very well (with a little understanding and copy&pasting) in other scenarios.
you can use the profiler from the sfDoctrineDatabase class. Use the getQueryExecutionEvents to grab all queries.
$databaseManager = sfContext::getInstance()->getDatabaseManager();
if ($databaseManager) {
foreach ($databaseManager->getNames() as $name) {
$database = $databaseManager->getDatabase($name);
if ($database instanceof sfDoctrineDatabase && $profiler = $database->getProfiler()) {
foreach ($profiler->getQueryExecutionEvents() as $event) {
$conn = $event->getInvoker() instanceof Doctrine_Connection ? $event->getInvoker() : $event->getInvoker()->getConnection();
$params = sfDoctrineConnectionProfiler::fixParams($event->getParams());
$query = $event->getQuery() ;
foreach ($params as $param) {
$param = htmlspecialchars($param, ENT_QUOTES, sfConfig::get('sf_charset'));
$query = join(var_export(is_scalar($param) ? $param : (string) $param, true), explode('?', $query, 2));
}
// log the $query here, or use the symfony's logger
// sfContext::getInstance()->getLogger()->debug(sprintf('Query Run !! %s ', $query));
}
}
}
}
dont forget to join the query with the parameters (so it will replace ? with the values )
:D
You can convert you DQL query to SQL by this function: http://tokarchuk.ru/2010/12/dql-query-to-raw-sql/