Page 1 of 1

reflection and function parameters

Posted: Thu Nov 29, 2007 10:48 pm
by alex.barylski
I am trying to figure out if it's possible to use reflection to automate securing of parameters before sending to mysql_query...

Code: Select all

$method = new ReflectionMethod(__CLASS__, __FUNCTION__);
foreach(new MyIterator($method->getParameters()) as $key => $variable){
	$tmp_name = $variable->getName();
	eval("${tmp_name} = 10;");
}
I want to add something like the above to each and every mysql function in an application BUT I need to re-assign the parameters the mysql_escape_real_string value so their safe to pass to query.

I can't think of a way to accomplish this, so short of telling myself it's impossible, I figured I would throw this out there and see what ya'all might be ale to hack togather. No extensions please. :)

Posted: Thu Nov 29, 2007 11:08 pm
by feyd
Is func_get_args() not going to work for you?

Posted: Thu Nov 29, 2007 11:14 pm
by alex.barylski
I tried using that function, but when it comes to re-assigning the value it doesn't seem to work. How would it?

What did you have in mind?

Posted: Fri Nov 30, 2007 12:42 am
by Chris Corbyn
Hockey wrote:I tried using that function, but when it comes to re-assigning the value it doesn't seem to work. How would it?

What did you have in mind?
No it should work. I'm not sure Reflection is going to help when you're trying to look at an object which is already instantiated, unless I'm misunderstanding you. func_get_args() is a bit weird I admit -- for example it has a problem foreaching it directly, but assign the result to a variable and you should have something fully mutable.

Posted: Fri Nov 30, 2007 12:42 pm
by alex.barylski
So you can iterate the results of func_get_args() and re-assign them???

I swear I tried that but maybe it was just too late and I missed something. Anyways, I just wanted a semi-automated method of securing arguments before sending to my query.

Each time the schema changed I would have to make sure I added that argument to the list like:

Code: Select all

$name = mysql_escape_real_string($name);
$age = mysql_escape_real_string($age);
$bday = mysql_escape_real_string($bday);
What I found was happening though, was that I would occaionally *miss* a argument altogather or would mistype one like:

Code: Select all

$name = mysql_escape_real_string($name);
$age = mysql_escape_real_string($age);
$bday = mysql_escape_real_string($name); // Bad!!
Ideally I wanted to avoid using loops or anything and simply wanted to call a function with each argument in the parameter list clearly visible for the sake of clarity and explicitness. I eventually devised this as a solution which works and keeps things a little more obvious IMHO.

Code: Select all

/** START: SECURE PARAMETERS **/
 list($udate, $ddate, $sent, $recv, $open, $status, $layout, $subject, $htmlbody) =
_sane($udate, $ddate, $sent, $recv, $open, $status, $layout, $subject, $htmlbody);
/** FINISH: SECURE PARAMETERS **/

Code: Select all

function _sane()
{
  $args = func_get_args();
  return array_map('mysql_real_escape_string', $args);
}
Less automated than if I iterated through the func_get_args() but it's clear.

I'm not sure I see how you mean when you say the arguments become fully mutable???

Can you demonstrate with code so I get what your saying?

Here is what I tried previously but it doesn't work - can't use a reference on the func_*

Code: Select all

$cnt = func_num_args();
for($i=0; $i<$cnt; $i++){
  $tmp =& func_get_arg($i);
  $tmp = mysql_real_escape_string($tmp);
}
How else could you do it?

Posted: Sat Dec 01, 2007 9:08 pm
by s.dot

Code: Select all

$args = func_get_args();
$mod = $args;

foreach ($args AS $k => $v)
{
    $mod[$k] = mysql_real_escape_string($v);
}
That's the only way I could think of doing it. Doesn't look too pretty though.

Posted: Mon Dec 03, 2007 1:43 pm
by volka
Wouldn't that be a perfect opportunity to skip mysql_query and use pdo/bind parameters instead?