php - How to use variables in a SQL query -


i wrote class database.php: 

class database {     private $host;     private $dbusername;     private $dbpassword;     private $connection;     private $iv;     public function __construct($host, $dbusername, $dbpassword, $iv)     {         $this->dbpassword = $dbpassword;         $this->dbusername = $dbusername;         $this->host = $host;         $this->iv = $iv;      }      public function createdatabase($dbname){         $this->connection = mysqli_connect($this->host, $this->dbusername, $this->dbpassword);         $query = "create database if not exists $dbname";         if(!$this->connection){             var_dump("connection failed");         }         else {             $this->connection->prepare($query)->execute();         }         $this->connection->close();     }      public function createtable($query, $dbname){         $this->connection = mysqli_connect($this->host, $this->dbusername, $this->dbpassword, $dbname);         if(!$this->connection){             var_dump("connection failed");         }         else {             $this->connection->prepare($query)->execute();         }         $this->connection->close();     }      public function getconnection(){         $this->connection = mysqli_connect($this->host, $this->dbusername, $this->dbpassword);         return $this->connection;     }      public function executequery($dbname, $query){         $this->connection = mysqli_connect($this->host, $this->dbusername, $this->dbpassword, $dbname);         if(!$this->connection){             var_dump("connection failed");             return false;         }         else{             $this->connection->prepare($query)->execute();             $this->connection->close();             return true;         }      }      public function deletefromtable($dbname, $query){         $this->connection = mysqli_connect($this->host, $this->dbusername, $this->dbpassword, $dbname);         if(!$this->connection){             var_dump("connection failed");             return false;         }         else{             $this->connection->prepare($query)->execute();             $this->connection->close();             return true;         }     }      public function check($query){         $this->connection = mysqli_connect($this->host, $this->dbusername, $this->dbpassword, "portal");;         $statement = $this->connection->prepare($query);         $statement->execute();         $statement->store_result();         if($statement->num_rows != 0){             $this->connection->close();             return true;         }          else         {             $this->connection->close();             return false;         }     }      public function getid($username){         $this->connection = mysqli_connect($this->host, $this->dbusername, $this->dbpassword, 'portal');         $id = mysqli_fetch_all(mysqli_query($this->connection, "select id users username='$username'"));         $this->connection->close();         return $id[0][0];     }      public function getdata($query, $name = null){         $this->connection = mysqli_connect($this->host, $this->dbusername, $this->dbpassword, 'portal');         $statement = $this->connection->prepare($query);         $statement->execute();         $data = $statement->get_result()->fetch_array();         if($name != null) {             return $data[$name];         }         else{             return $data;         }     }      public function getdataasarray($myquery){         $this->connection = mysqli_connect($this->host, $this->dbusername, $this->dbpassword, 'portal');         $query = mysqli_query($this->connection, $myquery);         $results = array();         while($line = mysqli_fetch_array($query)){             $results[] = $line;         }         return $results;     }      public function encryptssl($data){         $encryptionmethod = "aes-256-cbc";         $secrethash = "";         $encryptedmessage = openssl_encrypt($data, $encryptionmethod, $secrethash, 0, $this->iv);         return $encryptedmessage . '||' . $this->iv;     }     public function decryptssl($data, $iv){         $encryptionmethod = "aes-256-cbc";         $secrethash = "";         $decryptedmessage = openssl_decrypt($data, $encryptionmethod, $secrethash, 0,  $iv);         return $decryptedmessage;     }  }

and i'm using following in code select, update, delete entries database:

$customerinfo = $database->getdata("select * customers id='$id'");  $database->executequery('portal', "insert messages (userid, message, customerid, messageread, messagetrash, messagedeleted, time_added, subject) values(                                                             '$id', '$message', '$customerid', 0, 0, 0, '$time_date', '$messagesubject')");

but many probally know not safe sql injection. binding parameters :id possiblity don't know how can within class. if want have 1 function multiple different querys example: 1 query 1 variable or 1 query multiple variables above 2 queries

can me out issue?

it's never idea use variables directly in queries without first escaping/treating them. if do, use php's 'bif' mysqli_real_escape_string($var) escape them.

in code can like:

$customerinfo = $database->getdata(sprintf("select * customers id='%d'", mysqli_real_escape_string($id)));  $database->executequery('portal', sprintf("insert messages (userid, message, customerid, messageread, messagetrash, messagedeleted, time_added, subject) values('%d', '%s', '%s', 0, 0, 0, '%s', '%s')", mysqli_real_escape_string($id), mysqli_real_escape_string($message), mysqli_real_escape_string($customerid), mysqli_real_escape_string($time_date), mysqli_real_escape_string($messagesubject)));

here's way of doing using strtr:

$placeholders = array(   ':id' => mysqli_real_escape_string($id),   ':message' => mysqli_real_escape_string($message),   ':customerid' => mysqli_real_escape_string($customerid),   ':time_date' => mysqli_real_escape_string($time_date),   ':messagesubject' => mysqli_real_escape_string($messagesubject), );  $database->executequery('portal', strtr("insert messages (userid, message, customerid, messageread, messagetrash, messagedeleted, time_added, subject) values(':id', ':message', ':customerid', 0, 0, 0, ':time_date', ':messagesubject')", $placeholders));

Comments

Post a Comment

Popular posts from this blog

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

i'm implementing inapp billing in android app. works well, however, i'm trying decouple broadcast receiver activity manifest. suggestion in android's trivialdrive sample: // important: dynamically register broadcast messages updated purchases. // register receiver here instead of <receiver> in manifest // because call getpurchases() @ startup, therefore can ignore // broadcasts sent while app isn't running. // note: registering listener in activity bad idea, done here // because sample. regardless, receiver must registered after // iabhelper setup, before first call getpurchases(). currently there's class extends broadcastreceiver : public class iabbroadcastreceiver extends broadcastreceiver { /** * intent action receiver should filter for. */ public static final string action = "com.android.vending.billing.purchases_updated"; private final iabbroadcastlistener mlistener; public iabbroadcastreceiver(iabbroadcastlistener listener) { m...
Read more

python Tkinter Capturing keyboard events save as one single string -

is possible store keyboard events 1 string? code below stores 1 char , prints it. card reader or bar code reader, contains collection of character/ string not 1 character @ time. goal save char pressed text variable. from tkinter import * root = tk() def key(event): text= event.char text+= event.char print ("pressed", text) def callback(event): frame.focus_set() print ("clicked at", event.x, event.y) frame = frame(root, width=100, height=100) frame.bind("<key>", key) frame.bind("<button-1>", callback) frame.pack() root.mainloop() currently, creating text variable , everytime key() function gets called, , text stores last character typed. you can define text module level variable , , use module level text inside key function - text = '' def key(event): global text text+= event.char print("pressed", text)
Read more

sql server - Why does Linq-to-SQL add unnecessary COUNT()? -

here tables: create table customer ( cid int primary key, name varchar(32) ) create table ord ( oid int primary key, cid int foreign key references customer, address varchar(20) ) here's linq-to-sql statement: var aaa = c in db.customer select new { c, o = c.ord.tolist() }; and here's inexplicable query generated linq-to-sql: select [t0].[cid] [cid], [t0].[name] [name], [t1].[oid] [oid], [t1].[cid] [cid2], [t1].[address] [address], (select count(*) [dbo].[ord] [t2] [t2].[cid] = [t0].[cid]) [value] [dbo].[customer] [t0] left outer join [dbo].[ord] [t1] on [t1].[cid] = [t0].[cid] order [t0].[cid], [t1].[oid] i want understand how rid of count(*) part. it's entirely uncalled for! linq needs count(*) in order determine number of entries returned o = c.ord.tolist() .
Read more