monkeytooth Posted April 2, 2010 Share Posted April 2, 2010 Alright I have built a series of functions for a class I am building which all surprisingly work for the most part, some thanks to the help of everyone here. But I am stuck yet again. My issue is In any given php file I call my functions out like $findSchool = countTableRows("var-user-cred", "TABLE_NAME", "WHERE School='".mysql_real_escape_string($myschoolChek)."' LIMIT 1"); The functions are all built similar to this according to its need: function countTableRows($dbPIN, $tableName, $appndQ){ $run_conX = ax2crdb($dbPIN); //ax2crdb is a function to connect to the DB. $totalcount_query = "SELECT COUNT(*) AS totalcount_rows FROM ".$tableName." ".$appndQ.""; $totalcount_result = mysql_query($totalcount_query) or die('Error #SQL0003: Query Failed.'); $totalcount_row = mysql_fetch_array($totalcount_result, MYSQL_ASSOC); $totalcount = $totalcount_row['totalcount_rows']; return $totalcount; } my current issue is with mysql_real_escape_string I didn't realize I had to be already connected to the DB in a manor of speaking in order for that particular function to work, I thought it was a php function to work with mysql to strip my inputs of bad entities. Well in this case, quotes and what not, but yea. If you notice how I call out my functions for use you will most likely understand that the $appndQ could in a realistic way be just about anything. And if you will notice when I call the function the function will connect after its called not before. So using mysql_real_escape_string the way I am with no active connection at the moment kicks back an error. What I guess I am trying to figure out is Im going to need to build my own scrubbing filter but where should I start, and seeing as I am generally going for more than just injection blocking what should I filter out? has anyone ever built a filter to swap " with \" and remove <script .....> tags? is there already one somewhere I can just swipe and modify to my liking (yes I know thats not in the ethics here but im pressed for time so any shortcuts can help me greatly right now)? Link to comment https://forums.phpfreaks.com/topic/197394-php-mysql-function-building-issue/ Share on other sites More sharing options...
monkeytooth Posted April 2, 2010 Author Share Posted April 2, 2010 function cleaner4inputs($theInput){$theOutput = stripslashes($theInput);$theOutput = htmlspecialchars($theOutput, ENT_QUOTES); return $theOutput;/*$theOutput = htmlentities($theOutput);*/} I use this on one of my other sites for some of the form inputs, anyone think thats enough? or should I be more in-depth about it? Go really deep striping and removing stuff? This site I am currently working on is expected to have several million users with a couple years time, its already got something like 20,000 lined up ready to sign up upon launch. Last thing I want is the site breaking within days of launch do to something that could have been prevented Link to comment https://forums.phpfreaks.com/topic/197394-php-mysql-function-building-issue/#findComment-1036057 Share on other sites More sharing options...
monkeytooth Posted April 2, 2010 Author Share Posted April 2, 2010 Would it be smart to build a function that does a connection to the DB runs the escape string query and then output the result back or is that just redundant, and a means of complication in the long run on server load. Link to comment https://forums.phpfreaks.com/topic/197394-php-mysql-function-building-issue/#findComment-1036060 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.