I am wondering whether it is possible to call functions on string literals (Like in Python) in PHP (Tried googling, but 90% sure my terminology is off).
Example python:
"test,1,2,3".split()
I want to achieve something like (In php psuedo code):
$result = "SELECT `db`.`table`.`field` FROM `db`.`table` WHERE 1"->query();
Currently I am doing this:
$result = MySql::query("SELECT `db`.`table`.`field` FROM `db`.`table` WHERE 1");
But I really like the simplicity of the middle example and was wondering if anything like that is possible in PHP, maybe by overriding the PHP string class?
The difference is that everything in Python (and similar OO languages) is an object, that's why even strings have "methods" and "properties". PHP isn't a full top-to-bottom OO language, strings are just primitive strings. Even if they were objects, a string probably wouldn't have methods pertaining to database queries, because that'd be quite weird OO design with terribly mixed responsibilities.
There's no real way to do what you're talking about
$result = "SELECT `db`.`table`.`field` FROM `db`.`table` WHERE 1"->query();
In this example, your string is just a string. You then try to reference it like an object. In this case, you would get a Fatal error because you're telling PHP to use an object where none exists.
The closest thing to what you describe is direct chaining, where you create an instance of the class and reference it in the same statement (available in PHP >= 5.4)
$class = (new Class())->function();
I have a website hosted on a shared hosting.
They have php 5.2.13 installed.
I know the vulnerabilities of SQL Injection and I want to prevent it.
So I want to use PDO or mysqli for preventing it.
But the problem when I used phpinfo(); to view the hosting environment php setup info,
I found that there was no mysql driver for PDO and there was no support for mysqli in it.
So I wanted to know whether it will be safe to use that old mysql_* functions( along with
functions like mysql_real_escape_string).
I looked at this one on SO but it wasn't much helpful to me.
Prepared statements possible when mysqli and PDO are not available?
UPDATE:
I forgot to mention that most of the queries will be simple. There are no forms used so no user input will be used to make a query. All the queries will be hard coded with necessary parameters and they will not be changed once set.
No. The lack of more secure solutions is never a valid excuse to fall back to a less secure or more vulnerable solution.
You're much better off finding a different hosting provider that doesn't disable arbitrary PHP features even in their shared hosting packages. Oh, and try to get one that uses PHP 5.3, or better yet if you can, PHP 5.4.
If you're really rigorous about always using mysql_real_escape_string() with all user-supplied input then I think you should be safe from any SQL injection that prepared statements protects you from.
How perfect are you at this? I'll bet most of the buffer overflow vulnerabilities were created by programmers who thought they were good at checking inputs....
A good way to do that is to implement a Wrapper class for the use of the mysql_* functions, with a few methods to create prepared statements.
The idea is that you must pass strongly-typed parameters in your queries.
For instance, here is a piece of code with the general idea. Of course it needs more work.
But that can prevent from SQL Injection attacks if it's fairly implemented.
You can also search for 3rd party libraries that already implement that, because this is common.
<?php
class MyDb
{
protected $query;
public function setQuery($query)
{
$this->query = $query;
}
public function setNumericParameter($name, $value)
{
if (is_numeric($value)) // SQL Injection check, is the value really an Int ?
{
$this->query = str_replace(':'.$name, $value);
}
// else, probably an intent of SQL Injection
}
// Implement here the methods for all the types you need, including dates, strings, etc
public function fetchArray()
{
$res = mysql_query($this->query);
return mysql_fetch_array($res);
}
}
MyDb $db = new MyDb();
$db->setQuery('SELECT * FROM articles WHERE id = :id');
$db->setNumericParameter('id', 15);
while ($row = $db->fetchArray())
{
// do your homework
}
So, if I want to pull some data from my database (PHP, MySql), whether I'm writing for a class or hard-coded, I've been doing something along the lines of:
$x = "SELECT <column(s)> FROM <table> WHERE <conditions>";
$y = mysql_query($x);
while($result = mysql_fetch_assoc($y))
{
echo $result['column']; // etc
}
Obviously I use a function or class (depending on design pattern) so pulling data like this is done in one line, I just wondered if I was doing 'too much work' and if there was a quicker way of doing this.
Thanks.
You can get tighter code by using a more up-to-date PHP module to access your database.
The mysql_xxx() functions that you're using have been superseded by the mysqli_xxx() functions. This uses similar code, but provide more features and security than the older library:
$query = 'SELECT <column(s)> FROM <table> WHERE <conditions>';
if ($result = $mysqli->query($query)) {
while ($row = $result->fetch_assoc()) {
print $row['column'];
}
}
You can find out more about MySQLi (including how it differs from the old MySQL library) here: http://php.net/manual/en/book.mysqli.php
But for really concise code, you might consider looking into the PDO library. Your query could be expressed with PDO like this:
$sql = 'SELECT <column(s)> FROM <table> WHERE <conditions>';
foreach ($conn->query($sql) as $row) {
print $row['column'];
}
...and if you really wanted to, the first two lines of that code could be combined as well.
Find out more about PDO at the PHP manual site: http://www.php.net/manual/en/book.pdo.php
Looks good. you maybe can merge the first tow lines into "$y = mysql_query('SELECT FROM WHERE ');"
And notice that in PHP its faster (from compile time) to use single quotes (') rather that double quotes (").
It depends on the further work, but you might wanna consider loading the info into XML dom format. (If you want to do more sophisticated things that just representing the data)
i got this code
while ($aResult = mysql_fetch_array($result))
{
$sResult[$aResult[userID]] = $aResult;
}
but i want to know is there a faster way to put everything from $aresult in the sresult global?
It depends on the definition of "faster". If you want minimum CPU usage, you propably should use the function above, or as Col. said, try to avoid fetching all and use pointers.
If you want less coding time, consider using a a wrapper such as PEAR DB. With it you can just write $res = $db->getAll( $SQL );
http://pear.php.net/manual/en/package.database.db.db-common.getall.php
So I have this database class in PHP and I only have 1 function in it (other than __construct and __destruct. Let me explain further...
I had originally written it so when I connected to a database I would just call my function connect_to_db() which returned a mysqli object. I then used this objects functions (->query(), ->prepare(), ->bind_param(), et cetera..) to do whatever. This cluttered (and still is as I haven't switched my code over to my new class yet) with a lot of functions that just do specific things, for example:
function get_country_info($db, $usrid) {
$statement = "select `name`, `population`, `money`, `food` from `countries` where `usr_id` = ?";
$qry = $db->prepare($statement) or
trigger_error("get_country_info():statement failed...");
$qry->bind_param("i", $usrid);
$qry->execute();
$qry->bind_result($name, $population, $money, $food);
$qry->fetch();
$res = array("name" => $name,
"pop" => $population,
"money" => $money,
"food" => $food);
return $res;
}
And what I originally planned to do was just to throw these into a class for clarity, but what I actually ended up doing was creating a class that when created creates a mysqli object for a specific database (supplied via an argument) and when destroyed closes off this link. I very much like not having to worry about typing $db->close(); as when the script finishes executing the connection is closed.
It only has 1 other function; query(). This function can handle any query put forth and outputs it as a multidimensional array. It uses eval(). From what I understand this is generally frowned upon - but eval() is so useful; so why is it frowned upon?
I guess the function may be slow, but seen as I'm just using it for a pet project (browser based country management game) and I haven't noticed anything I'm not worried about that at all. What I am worried about is whether people would generally do this in the 'real world' or whether there is some sort of standard by which people do this, or perhaps something included (or add-on-able) in PHP which is usually used?
I'm self taught, so sometimes I don't really know the best way to go about doing things. Perhaps somebody could advise me here?
The function in question can be seen here: http://pastebin.org/353721, as its ~60 lines and I don't want to clutter the page. I also haven't extensively tested it (I don't even know what unit tests are, so I test by using the function in a lot of different ways) so it may have problems I'm not aware of that you guys can point out.
Thanks.
Doesn't seem to me too bad. You have basically done a really basic wrapper around the database, and you performed the very first step in database independence, which is good.
This can be good for small and well organized projects, but once you will start going more complicated, you will soon notice that your approach has one large disadvantage: you still have your SQL queries split around the site. The day you will change anything in the database, you'll need to go through all your site and look for all the SQL statements: this is bad (I had to do it once...).
You should now move all the SQL code to one place. So there are various options. In a similar context, I made the query() method protected, then made the Db class "abstract" and subclassed it. Each subclass is a class which contains several methods relative to a specific set of tables, and this is the only place where you find SQL. All the rest of the project can only call these methods.
Or, even better, you could use an ORM (oblect relational mapper) which would map each table to an object.
For what concerns the evils of evals: I never used them. But I thought I wasn't going to use a "goto" because it's evil, and then I found the magic place where that was the perfect fit. So, if you have investigated all the possibilities, and you think that's the optimal solution... use it.
Instead of eval, you can use call_user_func() or call_user_func_array().
You should check the return value of execute().
Your function does not support subselects which contain multiple comma's, but only return one value.
You can use trim() instead of ltrim(rtrim()).
I would still use a function like get_country_info() on top of this db class. Often, you want to do something with the data before your application can use it. More importantly, you want to abstract the data storage from your application. That is, the method which uses the country info does not need to know that it came from the database.
As Techpriester wrote: brake it down into smaller parts.
I recommend at least:
the argument to bind converter
the single and multi param bind if-else branch
the sql statement parser (find out about returned fields)
One other approach to your problem would be to build the sql statement inside your query class (arguments would be field names, the table, the where constraints,... ) and to develop subclasses for different query types. This would elimiate the need to parse the statement.
Above this layer you would put a bunch of DAO classes to do the actual work.
But wait: others have done this... (maybe a lot of others to be specific). So using PDO, Doctrine, Propel or even a bigger library like ZendFramework (active record pattern there...) would be the most valuable and stable option.
If you, however, want to learn something about software architecture and OO Systems. Go ahead and build your own, if you do it well you can switch to another DB Layer as soon as your system grows (Version 2.x :-) ).
First: The eval() in your function doesn't serve any purpose as I see it. Why don't you call the $qry->... things directly?
Second, your function is way to complex. Brake it down into smaller parts that call each other.
Third: Manipulating SQL Statements is generally a very bad idea. It's error prone as soon as you feed your function with something like nested statements or other more complicated SQL code. So just don't do it.
Fourth: I wouldn't recommend using mysqli anymore. You should switch to PDO.
As I understand it, your function tries to find out, what fields were in the SELECT clause of the query to build the result array. That is only necessary if you want to allow your database layer it to execute arbitrary queries which is also not a good idea.
When I have to use classic SQL in an application, I predefine every query that I need in some method or function. That function then will know exactly what field it has to read from the result set. So there's no need to parse the SQL code. However, mostly I try to avoid SQL by using things like Doctrine ORM. SQL is just too prone to errors...
About eval(): It is entirely and absolutely evil for several reasons:
It may open the door to code injection.
It makes code unreadable to humans and unparsable to an IDE
It's nearly impossible to debug code that uses eval()
Not really a problem of eval() itself, but when you have to use it, that's a sign of a flawed design.
To your question - you need some experience to learn why there are "best practices", why eval() is deprecated, why people use prepared statements etc.
I'd recommend you to have a look at http://dibiphp.com/cs/ for a nice and concise DB layer for PHP.
You could also try Java when you get some clue about web technologies.
Then you can use cool things like iBatis, which almost got it to PHP
I personally once had a lib for DB, which was used like this:
$aasAreas = Array();
$sSQL = "SELECT id, x, y, x2 AS r, popis FROM ".$oFW->GetOption('tables.areas')
." WHERE id_ad=".asq((int)$_GET['id']);
$oRes = $oFW->GetDB()->Select($sSQL);
if(!$oRes || !$oRes->IsOk()){ $sError = $oRes->GetError(); break; }
else while( $a = $oRes->FetchRow() ){
$aasAreas[] = $a;
}
[OT] And some ORM for PHP attempt, used like this:
// Load by ID
echo "<h3>Load by ID</h3>";
$iID = 1;
echo "<pre>\$oObject = \$oOP->LoadObjectById(".$oClass->GetName().", $iID);</pre>";
$oUser = $oOP->LoadObjectById($oClass, $iID);
echo "<pre>oUser: [".gettype($oUser)."]".AdjustedPrintR($oUser)."</pre>";
echo "<div>GetPoolCount(): ".$oOP->GetPoolCount()."</div>";
// Save
echo "<h3>Save</h3>";
$oUser = new cObjectPersistenceTestClass_User();
$oUser->SetId(1);
$oUser->SetProperty('user', 'as'.rand());
$oUser->SetProperty('pass', 'as');
$oUser->SetProperty('fname', 'Astar');
$oUser->SetProperty('lname', 'Seran');
echo "<pre>oUser: [".gettype($oUser)."]".AdjustedPrintR($oUser)."</pre>";
$bSucc = $oOP->SaveObject($oUser);
echo "<div>".($bSucc ? 'saved' : 'error')."</div>";
// Load by value - load object created above -> Object Pool hit
$xVal = $oUser->GetProperty('user');
$aoUsers = $oOP->LoadObjectsByValue($oClass, 'user', $xVal);
echo "<pre>\$aoUsers: [".gettype($aoUsers)."]".AdjustedPrintR($aoUsers)."</pre>";
etc.