开发者

mysql_real_escape_string not being used with given regex

问答 作者:

I am using a dataHandler library to handle all of my db inserts / updates, etc. The library has the following functions:

function prepareValue($value, $connection){
$preparedValue = $value;
if(is_null($value)){
    $preparedValue = 'NULL';
}
else{
    $preparedValue = '\''.mysql_real_escape_string($value, $connection).'\'';
}
return $preparedValue;
}

function parseParams($params, $type, $connection){
$fields = "";
$values = "";

    if ($type == "UPDATE"){
    $return = "";
    foreach ($params as $key => $value){
    if ($return == ""){
        if (preg_match("/\)$/", $value)){
            $return = $key."=".$value;
        }
        else{
            $return = $key."=".$this->prepareValue($value, $connection);
        }
    }
    else{
        if (preg_match("/\)$/", $value)){
            $return = $return.", ".$key."=".$value;
        }
        else{
            $return = $return.", ".$key."=".$this->prepareValue($value,              
                         $connection);
        }
    }
    }
    return $return;
/* rest of function contains similar but for "INSERT", etc.
   }

These functions are then used to build queries using sprintf, as in:

$query = sprintf("UPDATE table SET " .
    $this->parseParams($params, "UPDATE", $conn) .
" WHERE fieldValue = %s;", $this->prepareValue($thesis_id, $conn));

$params is an associative array: array("db_field_name"=>$value, "db_field_name2"=>$value2, etc.)

I am now running into problems when I want to do an update or insert of a string that ends in ")" because the parseParams function does not put these values in quotes.

My question is this: Why would this library NOT call prepareValue on strings that end in a closed parenthesis? Would calling mysql_real_escape_string() on this value cause any problems? I could easily modify the library, but I am assuming there is a reason the author handled this particular regex this way. I just can't figure out what that reason is! And I'm hesitant to make any modifications until I understa开发者_如何学Pythonnd the reasoning behind what is here.

Thanks for your help!

Please note that inside prepareValue not only mysql_real_escape_string is applied to the value but it is also put inside '. With this in mind, we could suspect that author assumed all strings ending with ) to be mysql function calls, ie:

$params = array(
    'field1' => "John Doe",
    'field2' => "CONCAT('John',' ','Doe')",
    'field3' => "NOW()"
);

Thats the only reasonable answer that comes to mind.

继续阅读:mysql-real-escape-stringphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9