PHP Classes

this class isn't safe for sql injection, i added a small func...

Recommend this page to a friend!

      ezSQL  >  All threads  >  this class isn't safe for sql...  >  (Un) Subscribe thread alerts  
Subject:this class isn't safe for sql...
Summary:Package rating comment
Messages:3
Author:Andrea Venturi
Date:2008-06-15 13:28:42
Update:2008-09-02 19:35:34
 

Andrea Venturi rated this package as follows:

Utility: Good
Consistency: Good
Documentation: Good
Examples: Good

  1. this class isn't safe for sql...   Reply   Report abuse  
Picture of Andrea Venturi Andrea Venturi - 2008-06-15 13:28:43
this class isn't safe for sql injection, i added a small function for parsing inputs before use in production.

  2. Re: this class isn't safe for sql...   Reply   Report abuse  
Picture of John Vaughan John Vaughan - 2008-08-22 16:46:25 - In reply to message 1 from Andrea Venturi
Hello Andrea,

Would you mind posting your modifications? I think this is a great class as well, but needs some SQL injection prevention to round it off. You can also email me directly at jjvaughan at gmail

Thanks for sharing!
-John

  3. Re: this class isn't safe for sql...   Reply   Report abuse  
Picture of Andrea Venturi Andrea Venturi - 2008-09-02 19:35:34 - In reply to message 2 from John Vaughan
I took the escape function from this class: http://www.phpclasses.org/browse/file/13783.html

function sql_quote($value)
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes($value);
}

//check if this function exists
if( function_exists( 'mysql_real_escape_string' ) )
{
$value = mysql_real_escape_string($value, $this->dbh);
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes($value);
}
return $value;
}