How can I clean up this SELECT query?

Posted by Cruachan on Stack Overflow See other posts from Stack Overflow or by Cruachan
Published on 2009-02-25T19:20:54Z Indexed on 2010/05/31 5:02 UTC
Read the original article Hit count: 210

Filed under:
|
|
|

I'm running PHP 5 and MySQL 5 on a dedicated server (Ubuntu Server 8.10) with full root access. I'm cleaning up some LAMP code I've inherited and I've a large number of SQL selects with this type of construct:

SELECT ... FROM table WHERE
  LCASE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(
    strSomeField, ' ', '-'), ',', ''), '/', '-'), '&', ''), '+', '')
  ) = $somevalue

Ignoring the fact that the database should never have been constructed to require such a select in the first place, and the $somevalue field will need to be parameterised to plug the gaping security hole, what is my best option for fixing the WHERE condition into something less offensive? If I was using MSSQL or Oracle I'd simply put together a user-defined function, but my experience with MySQL is more limited and I've not constructed a UDF with it before, although I'm happy coding C.

Update: For all those who've already raised their eyebrows at this in the original code, $somevalue is actually something like $GET['product']—there are a few variations on the theme. In this case the select is pulling the product back from the database by product name—after stripping out characters so it matches what could be previously passed as a URI parameter.

© Stack Overflow or respective owner

Related posts about php

Related posts about sql