collapse collapse
* User Info
 
 
Welcome, Guest. Please login or register.
* Search

* Board Stats
  • stats Total Members: 989
  • stats Total Posts: 18366
  • stats Total Topics: 2501
  • stats Total Categories: 7
  • stats Total Boards: 35
  • stats Most Online: 1144

Author Topic: Smarter, Safer, MySQL.php modification with full Backwards Compatability  (Read 4661 times)

0 Members and 1 Guest are viewing this topic.

Offline Neo-Vortex

  • BeBot Rookie
  • *
  • Posts: 11
  • Karma: +0/-0
Hey, something I've been using on my bots for quite some time now is the use of printf() style args with MySQL.php, this also allows me to automagically escape strings eliminating possible SQL injection vulnerabilities, and best of all, remains backwards compatible, the changes are also quite simple and it would make sql coding in modules (and bebot itself) much nicer to read.

In MySQL.php the following function is added

Code: [Select]
        function smartescape($args)
        {
                if (is_numeric($args)) return $args;
                return mysql_real_escape_string($args);
        }

        function smartargs($args)
        {
                $query = array_shift($args);
                if (empty($args)) return $query;
                $args  = array_map(array($this, 'smartescape'), $args);
                array_unshift($args, $query);
                return call_user_func_array('sprintf', $args);
        }

Then the following line is added at the start of the each SQL function - ie, select(), query(), and returnQuery()

Code: [Select]
$sql = $this -> smartargs(func_get_args());
Then instead of say the following (example pulled from the news module):
Code: [Select]
$this -> bot -> db -> query("INSERT INTO news (type, time, name, news) VALUES ('2' ," . time() .", '" . $name . "', '" . addslashes($msg) . "')");You would do this:
Code: [Select]
$this -> bot -> db -> query("INSERT INTO news (type, time, name, news) VALUES ('2' ,'%d', '%s', '%s')", time(), $name, $msg);Which is much nicer on the eyes, with all escaping done for you automagically :), but best of all, the previous example would work perfectly fine also still, so there is no forced change that would break older modules.

The only potential issue would be if you are using the '%' character to specify a wildcard in which case you would have to escape it by doing '%%' instead or sprintf() would think it should process it, however to eliminate backwards-compatability issues for where '%' has been used unescaped, it will detect if there are any extra arguments parsed, and if there are none (ie, it is just the query itself), it will not process it using printf() to eliminate this :)

Edit: Little change that prevents warnings for if you pass ints to it - old still works, just on rare occasions complains :P
« Last Edit: February 28, 2007, 10:02:46 am by Neo-Vortex »

Offline Khalem

  • BeBot Founder
  • Administrator
  • ********
  • Posts: 1169
  • Karma: +0/-0
    • http://www.ancarim.com
Re: Smarter, Safer, MySQL.php modification with full Backwards Compatability
« Reply #1 on: February 27, 2007, 05:43:35 pm »
I've been planning to do this, but not gotten around to it.

Will have a look at this again this weekend.
BeBot Founder and Fixer Kingpin

 

* Recent Posts
Com bot module by bitnykk
[November 25, 2024, 05:36:11 pm ]


0.8.x updates for AO by bitnykk
[June 23, 2024, 03:19:47 pm ]


0.8.x updates for AoC by bitnykk
[June 23, 2024, 03:19:44 pm ]


[AoC] special char for items module by bitnykk
[February 09, 2024, 09:41:18 pm ]


BeBot still alive & kicking ! by bitnykk
[December 17, 2023, 12:58:44 am ]

* Who's Online
  • Dot Guests: 107
  • Dot Hidden: 0
  • Dot Users: 0

There aren't any users online.
* Forum Staff
bitnykk admin bitnykk
Administrator
Khalem admin Khalem
Administrator
WeZoN gmod WeZoN
Global Moderator
SimplePortal 2.3.7 © 2008-2024, SimplePortal