Reputation: 59
Converting to MYSQLI from MYSQL... Broken escape function
I've spent five hours on this same problem, getting too frustrated to think it through properly, some help would be appreciated.
File include structure is kind of like:
page.php includes-> head.php includes->(*glo_functions.php* then *sql_functions.php*)
The line in page.php causing triggering the error:
$logdata = $db->escape($_POST['logdata']);
Connection made, in file like: globals.php:
$db->connect();
The escape() function, in file like: sql_functions.php
function escape($text) {
return mysqli_real_escape_string($this->connection_id, '$text');
}
The problem (anywhere that calls the function):
function log_add($text)
{
global $db, $row;
$IP = $_SERVER['REMOTE_ADDR'];
$text= $db->escape($text);
$db->query("INSERT INTO log VALUES(NULL, {$row['userid']}, unix_timestamp(), '$text', '$IP')");
}
Many errors have happened. If connection_id and $text are in reverse it says it expects parameter 1 and kills the script.
Ideally there will be a way for the escape function to sanitize the information somehow. After this has been execute, as of now, my log table is being populated with $text and not the actual text.
I understand preparing queries would be a better option but would take a lot more than 5 hours to do that with every query. I'm converting from SQL, therefore data is universally escaped when needed by calling the function, therefore everywhere where data needs escaped, it is calling to this function already.
Edited:
$db=new database;
$db->configure($_CONFIG['hostname'],
$_CONFIG['username'],
$_CONFIG['password'],
$_CONFIG['database'],
$_CONFIG['persistent']);
$db->connect();
Upvotes: 0
Views: 106
Answers (2)
Reputation: 30252
function escape($text) {
global $link; // link to db
return mysqli_real_escape_string($link, $text);
}
Or
function escape($text) {
global $db; // db object
return $db->real_escape_string($text);
}
or only if escape is a method of the same class where you create your $db object:
function escape($text) {
return $this->mysqli_real_escape_string($text);
}
Upvotes: 0
Reputation: 562478
return mysqli_real_escape_string($this->connection_id, '$text');
You put the variable inside single-quotes, so it will use the literal string "$text", not the value of a variable $text.
You could use double-quotes to ensure the variable is expanded:
return mysqli_real_escape_string($this->connection_id, "$text");
Or else just don't put it in quotes at all for this case. Passing a variable to a PHP function is not SQL injection.
return mysqli_real_escape_string($this->connection_id, $text);
Of course when you use a variable inside a string literal in an SQL query, you do need to delimit it with single-quotes.
I agree with other commenters that using query parameters is superior, if only because you never have to worry about quotes again. But I understand that you have to forego that code update for now.
Upvotes: 2
Related Questions
- Problem with mysqli_real_escape_string (and magic quotes is off)
- Getting an error using mysqli_escape_string function
- escape-data mysqli function wont work
- Issue with mysql_real_escape_string() syntax
- MySQLi & mysql_real_escape_string() Giving me a bunch of errors
- mysqli real escape string issues
- PHP MySQLi possible issue with escaped parameter in escaped statement?
- mySQLI - problem with mysqli_real_escape_string
- PHP mysqli_real_escape_string problems
- Using mysqli_escape_string error