Reference: What is a perfect code sample using the MySQL extension? [closed] Reference: What is a perfect code sample using the MySQL extension? [closed] php php

Reference: What is a perfect code sample using the MySQL extension? [closed]


php mysql security sql-injection

My stab at it. Tried to keep it as simple as possible, while still maintaining some real-world conveniences.

Handles unicode and uses loose comparison for readability. Be nice ;-)

<?phpheader('Content-type: text/html; charset=utf-8');error_reporting(E_ALL | E_STRICT);ini_set('display_errors', 1);// display_errors can be changed to 0 in production mode to// suppress PHP's error messages/*Can be used for testing$_POST['id'] = 1;$_POST['name'] = 'Markus';*/$config = array(    'host' => '127.0.0.1',     'user' => 'my_user',     'pass' => 'my_pass',     'db' => 'my_database');# Connect and disable mysql error output$connection = @mysql_connect($config['host'],     $config['user'], $config['pass']);if (!$connection) {    trigger_error('Unable to connect to database: '         . mysql_error(), E_USER_ERROR);}if (!mysql_select_db($config['db'])) {    trigger_error('Unable to select db: ' . mysql_error(),         E_USER_ERROR);}if (!mysql_set_charset('utf8')) {    trigger_error('Unable to set charset for db connection: '         . mysql_error(), E_USER_ERROR);}$result = mysql_query(    'UPDATE tablename SET name = "'     . mysql_real_escape_string($_POST['name'])     . '" WHERE id = "'     . mysql_real_escape_string($_POST['id']) . '"');if ($result) {    echo htmlentities($_POST['name'], ENT_COMPAT, 'utf-8')         . ' updated.';} else {    trigger_error('Unable to update db: '         . mysql_error(), E_USER_ERROR);}

php mysql security sql-injection

I decided to jump the gun and just put something up. It's something to start with. Throws an exception on error.

function executeQuery($query, $args) {    $cleaned = array_map('mysql_real_escape_string', $args);    if($result = mysql_query(vsprintf($query, $cleaned))) {        return $result;    } else {        throw new Exception('MySQL Query Error: ' . mysql_error());    }}function updateTablenameName($id, $name) {    $query = "UPDATE tablename SET name = '%s' WHERE id = %d";    return executeQuery($query, array($name, $id));}try {    updateTablenameName($_POST['id'], $_POST['name']);} catch(Exception $e) {    echo $e->getMessage();    exit();}

php mysql security sql-injection 

/** * Rule #0: never trust users input! *///sanitize integer value$id = intval($_GET['id']);//sanitize string value;$name = mysql_real_escape_string($_POST['name']);//1. using `dbname`. is better than using mysql_select_db()//2. names of tables and columns should be quoted by "`" symbol//3. each variable should be sanitized (even in LIMIT clause)$q = mysql_query("UPDATE `dbname`.`tablename` SET `name`='".$name."' WHERE `id`='".$id."' LIMIT 0,1 ");if ($q===false){    trigger_error('Error in query: '.mysql_error(), E_USER_WARNING);}else{    //be careful! $name contains user's data, remember Rule #0    //always use htmlspecialchars() to sanitize user's data in output    print htmlspecialchars($name).' updated';}########################################################################//Example, how easily is to use set_error_handler() and trigger_error()//to control error reporting in production and dev-code//Do NOT use error_reporting(0) or error_reporting(~E_ALL) - each error//should be fixed, not mutedfunction err_handler($errno, $errstr, $errfile, $errline){    $hanle_errors_print = E_ALL & ~E_NOTICE;    //if we want to print this type of errors (other types we can just write in log-file)    if ($errno & $hanle_errors_print)    {        //$errstr can contain user's data, so... Rule #0        print PHP_EOL.'Error ['.$errno.'] in file '.$errfile.' in line '.$errline              .': '.htmlspecialchars($errstr).PHP_EOL;    }    //here you can write error into log-file}set_error_handler('err_handler', E_ALL & ~E_NOTICE & E_USER_NOTICE & ~E_STRICT & ~E_DEPRECATED);

And some explanation of comments: 

//1. using `dbname`. is better than using mysql_select_db()

With using mysql_select_db you can create errors, and it will be not so easy to find and fix them.
For example, in some script you will set db1 as database, but in some function you need to set db2 as database.
After calling this function, database will be switched, and all following queries in script will be broken or will broke some data in wrong database (if names of tables and columns will coincide).

//2. names of tables and columns should be quoted by "`" symbol

Some names of columns can be also SQL-keywords, and using "`" symbol will help with that.
Also, all string-values, inserted to query, should be quoted by ' symbol.

//always use htmlspecialchars() to sanitize user's data in output
It will help you to prevent XSS-attacks.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last