CODEWITHSUNDEEP
phpmysqlmysqlimysql-real-escape-stringdbobject
OverBakedToast
OverBakedToast

Reputation: 147

Trying to make a work around for the mysqli_real_escape_string

So currently I have my code in procedural format so inorder to prevent myself from adding the "link" in the mysqli_real_escape_string function I've made a method that looks like this:

    // Used to create a legal SQL string that you can use in an SQL statement in place of mysqli_real_escape_string
    public function escape_string($string) {
    $newstring = mysqli_real_escape_string($this->dbconn, $string);
    return $newstring;
}

When I use this though I don't get any results though let me know if you have any recommendations.

Here are some examples where I use the function:

function email_exists($email,$dblayer){

$sql            =   "SELECT `id` FROM `users` WHERE `email` = '" . $dblayer->escape_string($email) . "'";

$results        =   $dblayer->select_query($sql);

if($results){

    return true;

}else{

    return false;

}

And this:

public function pass_reset($email){

    $newpass        =   substr(md5(mt_rand(1,99999)),0,8);

    $newpasshash    =   md5($newpass . '************');

    $sql            =   "UPDATE `admin_users` SET `password` = '" . $newpasshash . "' WHERE `username` = '" . $this->dblayer->escape_string($email) . "'";

    $this->dblayer->modify_query($sql);

    return $newpass;

}

And this which is created around another dblayer which is called dbobject:

                case $range:

                $dates          =   explode(',',$_GET['search-string']);

                $sql            =   "SELECT SQL_CALC_FOUND_ROWS * FROM `user_profile` WHERE `created` BETWEEN '" . $dates[0] . "' AND '" . $dates[1] . "'";

                break;

            default:

                $sql            =   "SELECT SQL_CALC_FOUND_ROWS * FROM `user_profile` WHERE `" . $_GET['search-field'] . "` LIKE '%" . $dbobject->escape_string($_GET['search-string']) . "%'";



                break;

Upvotes: 0

Views: 175

Answers (2)

OverBakedToast
OverBakedToast

Reputation: 147

This is what I did differently to my original code to fix my problem. It might look a little ambiguous out of context.

// Used to create a legal SQL string that you can use in an SQL statement in place of mysqli_real_escape_string
public function escape_string($string) {
    $newstring = '';

    if ($this->dbconn) {

        switch ($this->dbtype) {

            case 'mysql' :

                $newstring = mysqli_real_escape_string ( $this->dbconn, $string );
                break;
        }
    }
    return $newstring;
}

Upvotes: 0

cwallenpoole
cwallenpoole

Reputation: 81988

It looks like the problem is probably two-fold. First, I would expect that your $this->dbconn is NULL. This would may mysqli_real_escape_string return NULL. This means your SQL is probably looking for empty strings.

The best way to verify this is to either check if the connection is NULL or check the SQL you're running. Do you see a number of ''? Then you're concatenating against null.

The only way that could possibly happen, however, is if you have your error reporting suppressed. While you are developing you should have errors turned on. There is information on how to show errors in this question.

Upvotes: 0

Related Questions