Page 1 of 1

parseQuery function..

Posted: Sun Jul 16, 2006 10:42 am
by Jenk
I knocked up a Query parsing method, and would like people to pick at it to see if I have missed any potential loopholes :)

Code: Select all

public function parseQuery ()
{
    $count = func_num_args();
    $str = func_get_arg(0);

    if ($count > 1) {
        for ($i = 1; $i < $count; $i++) {
           
            if ((strval(intval(func_get_arg($i))) === strval(func_get_arg($i)))
                || (strval(floatval(func_get_arg($i))) === strval(func_get_arg($i)))) {
                $pat = mysql_real_escape_string(func_get_arg($i), $this->link);
            } else {
                $pat = "'" . mysql_real_escape_string(func_get_arg($i), $this->link) . "'";
            }
               
            $str = str_replace(':' . $i, $pat, $str);
        }
    }
       
    $this->query = $str;
}
Usage:

Code: Select all

$db->parseQuery('SELECT * FROM `table` WHERE `col` = :1 AND `col2` = :2', $val1, $val2);
Or you can still run a straight query in a single string arg, but are left to your own devices for escaping etc.

TIA :)

EDIT: Whoops.. should be in Security, sorry.

Posted: Sun Jul 16, 2006 11:42 am
by Weirdan
  • reformatted (1 tab = 4 spaces) because it didn't fit into 1024x768 screen resolution
  • moved to PHP - Security
  • Code: Select all

    if ((strval(intval(func_get_arg($i))) === strval(func_get_arg($i)))
                    || (strval(floatval(func_get_arg($i))) === strval(func_get_arg($i))))
    could be replaced with

    Code: Select all

    if(is_numeric(func_get_arg($i)))

Posted: Sun Jul 16, 2006 12:34 pm
by Jenk
I was reading the notes on php.net for is_numeric, and it apparently has issues with numbers > 16 chars' so I opted for the above instead :)

Thanks for moving.

Posted: Sun Jul 16, 2006 12:40 pm
by Weirdan
hmm... from my reading it's :
What that means is that, for each string with more than 308 characters...

Posted: Sun Jul 16, 2006 7:41 pm
by Jenk
Seems that this function can only verify numbers up to 16 digits long. Eg:

1111111111111111111

A 19-digit number will return false.
Is what I read (past tense.. not being anal :).)

Also,
is_numeric("1,000") = F
is_numeric("1e2") = T
is_numeric("-1e-2") = T
is_numeric("1e2.3") = F
is_numeric("1.") = T
is_numeric("1.2") = T
is_numeric("1.2.3") = F
is_numeric("-1") = T
is_numeric("- 1") = F
is_numeric("--1") = F
is_numeric("1-") = F
is_numeric("1A") = F
is_numeric(" 1") = T
is_numeric("1 ") = F
Would MySQL handle entries such as 1e2 in the same fashion?

Posted: Mon Jul 17, 2006 1:29 am
by Weirdan
Would MySQL handle entries such as 1e2 in the same fashion?
Of course, MySQL supports scientific notation.