Preventing SQL injecting in a database class

Posted by Josh on Stack Overflow See other posts from Stack Overflow or by Josh
Published on 2010-03-29T19:17:37Z Indexed on 2010/03/29 19:33 UTC
Read the original article Hit count: 118

Filed under:

php

|

class

|

database

|

mysql

|

sql

I'm building a database class and thought it'd be a good idea to incorporate some form of SQL injection prevention (duh!). Here's the method that runs a database query:

class DB
{
    var $db_host    = 'localhost';
    var $db_user    = 'root';
    var $db_passwd  = '';
    var $db_name    = 'whatever';

    function query($sql)
    {
        $this->result = mysql_query($sql, $this->link);
        if(!$this->result)
        {
           $this->error(mysql_error());
        } else {
            return $this->result;
        }
    }
}

There's more in the class than that but I'm cutting it down just for this. The problem I'm facing is if I just use mysql_real_escape_string($sql, $this->link); then it escapes the entire query and leads to a SQL syntax error. How can I dynamically find the variables that need to be escaped? I want to avoid using mysql_real_escape_string() in my main code blocks, i'd rather have it in a function.

Thanks.

© Stack Overflow or respective owner

Related posts about php

Magento, NGINX, PHP-FPM, APC, MEMCACHED, 16gb Ram CentOS, Spiking PHP-FPM to 100% CPU

as seen on Server Fault - Search for 'Server Fault'
I have been trying to resolve my issue of spiking cpu caused by php-fpm processes. I've reduced the php-fpm config settings to: pm = ondemand pm.max_children = 12 pm.start_servers = 2 pm.min_spare_servers = 2 pm.max_spare_servers = 10 pm.max_requests = 500 php_admin_value[memory_limit] = 128M Problem… >>> More
PHP Pear Installation on CentOS

as seen on Server Fault - Search for 'Server Fault'
[root@ip ~]# yum install php-pear* Reducing CentOS-5 Testing to included packages only Finished Setting up Install Process Package 1:php-pear-1.8.1-2.el5.centos.noarch already installed and latest versio … >>> More
Apache configurations for php "AddType text/html php" or "AddType application/x-httpd-php php .php"

as seen on Server Fault - Search for 'Server Fault'
I am taking over an application server and discover that it contain the following settings: AddType text/html php Although it works, but my understanding is that it should set as following: AddType application/x-httpd-php php .php What are the key differences between the two settings?… >>> More
mod_rewrite settings causes server to throw HTTP 500 errors instead of 404

as seen on Server Fault - Search for 'Server Fault'
Hello. I have a server with VBulletin forum (working under Apache 2.2, CentOS). The default settings for it in .htaccess are as follows: RewriteEngine on RewriteCond %{HTTP_HOST} ^gsmforum\.ru RewriteRule (.*) http://www.gsmforum.ru/$1 [R=301,L] # If you are having problems or are using VirtualDocumentRoot… >>> More
Problems installing Memcache (PECL extension)

as seen on Server Fault - Search for 'Server Fault'
I have installed memcached fine, and now I will need to install PECL extension memcache. Im running RedHat x86_64 es5. The installation gives me this: downloading memcache-2.2.6.tgz ... Starting to download memcache-2.2.6.tgz (35,957 bytes) ..........done: 35,957 bytes 11 source files, building running:… >>> More

Related posts about class

DIV is picking max-width value as width value for DIV.

as seen on Stack Overflow - Search for 'Stack Overflow'
I am facing a problem after applying max-width hack for IE7. In mozilla, width of the div is flexible and adjustable as per the image width in the div. But in IE7 it is taking the max-width as width of DIV. Below is my HTML code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"… >>> More
Getting Information About Class Programatically (methods in class/properties of class)

as seen on C# Corner - Search for 'C# Corner'
This article will teach you how to get information about some class like how many methods are there in class, how many properties are there etc.. >>> More
Nested class - calling the nested class from the parent class

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a class whereby a method calls a nested class. I want to access the parent class properties from within the nested class. public class ParentClass { private x; private y; private z; something.something = new ChildClass public class ChildClass { need to get x, y and z; } } How do I… >>> More
Compare base class part of sub class instance to another base class instance

as seen on Stack Overflow - Search for 'Stack Overflow'
I have number of DTO classes in a system. They are organized in an inheritance hierarchy. class Person { public int Id { get; set; } public string FirstName { get; set; } public string ListName { get; set; } } class PersonDetailed : Person { public string WorkPhone { get; set; } … >>> More
making class accessible from class path in dynamic class loading

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a project created in Eclipse, and I defined an interface and a class for dynamic class loading, the class is in the project directory, so I have this code in my project: if (handlerClassName != null) { TypeHandler typeHandler = null; try { typeHandler =… >>> More