Jump to content

I Need help with converting mysql_escape_string() into mysqli_real_escape_string()


Recommended Posts

Hello all! I'm not a programmer and don't know PHP - this is the only reason I'm asking you for help. Back in 2004, I acquired a script for generating dynamic php pages for users' reviews - this the only small section of my website where PHP is employed. Since then, the standard command MySQL and functions related to it, particularly mysql_escape_string(), have been deprecated, and now I must replace them with MySQLi command and its functions. I understand that solving this issue is a simple task for most of you, but it is a "mission impossible" for me having no special education and knowledge. Could you please modify the attached code snippets? Thank you for your understanding and time!  

 

Below are a few fragments that require modification. If something is missing and required for complete piece of code, please let me know. Also, do I have to create a special file for connecting to a database, or could I use the existing 'functions.php' file (also shown below)? 

 

 

1) To get access to Admin Area:

 



<?php
//if a session does not yet exist for this user, start one
session_start();

//if there is no username or password entered and the user has not already been validated, send user back to login page.
if ((empty($_POST["admin_username"]) || empty($_POST["admin_passtext"])) && empty($_SESSION['valid_user']))
{
Header("Location: index.php");
}

include ("../body_edit.php");
include ("../config.php");
include ("../functions.php");

//make sure user has been logged in.
if (empty($_SESSION['valid_user']))
{
// User not logged in, check database
//Check to see that the username and Password entered have admin access.
$sqlaccess = "SELECT username, passtext
FROM admin
WHERE username='" . mysql_escape_string($_POST['admin_username']) . "'
AND passtext = '" . mysql_escape_string($_POST['admin_passtext']) . "'
LIMIT 1
";

$resultaccess = mysql_query($sqlaccess)
or die(sprintf("Couldn't execute sql_count, %s: %s", db_errno(), db_error()));

$numaccess = mysql_numrows($resultaccess);

if ($numaccess == 0) {
BodyHeader("Access Not Allowed!");
?>
<style type="text/css">
<!--
.style1 {color: #FF0000}
.style2 {
font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
}
.style3 {font-family: Arial, Helvetica, sans-serif; font-size: 14px; }
-->
</style>
<P>To access the Administration area you need to have approved access. The username and Password (<?php echo "$admin_username and $admin_passtext"; ?>) you entered are not approved!<br>
<a href="index.php">Please try again</a>
<?php
BodyFooter();
exit;
}// if numaccess

//if the user/pass were valid create a session for the user.
$_SESSION['admin_passtext'] = $_POST['admin_passtext'];
$_SESSION['admin_username'] = $_POST['admin_username'];

//since user has been verified, set a session for checking on admin pages.
$_SESSION['valid_user'] = $_POST['admin_username'];

//set cookie so admin can save login info if logout link is not clicked.
if (empty($_COOKIE['admin_username']) && empty($_COOKIE['admin_passtext'])) {
setcookie("admin_username", $_POST['admin_username'], time() + 31536000, "/");
setcookie("admin_passtext", $_POST['admin_passtext'], time() + 31536000, "/");
}//if cookie
}//if session

BodyHeader("$sitename Administration Menu");

//Get the number of reviews that are not approved.
$result = mysql_query("SELECT COUNT(*) as total FROM review WHERE approve='n'
AND
review_item_id != '0'")
or die(sprintf("Couldn't execute sql_count, %s: %s", db_errno(), db_error()));

$rows = mysql_fetch_array($result);

$total = $rows["total"];

//Get the total number of reviews that are approved.
$result = mysql_query("SELECT COUNT(*) as totaly FROM review WHERE approve='y'")
or die(sprintf("Couldn't execute sql_count, %s: %s", db_errno(), db_error()));

$rows = mysql_fetch_array($result);
$totaly = $rows["totaly"];

//Get the total number of user submitted items that need to be approved.
$result = mysql_query("SELECT COUNT(*) as totalitemuser FROM review_items_user")
or die(sprintf("Couldn't execute sql_count, %s: %s", db_errno(), db_error()));

$rows = mysql_fetch_array($result);
$totalitemuser = $rows["totalitemuser"];

?>

//some code here....


<?php
BodyFooter();
exit;
?>


 

 

2) In my file functions.php:

 



<?php

$NumReviews = 8;

$db_name = "xxxxxxxxxxxxxxxxx";

$connection = @mysql_connect("xxxxxxxxx", "xxxxxxxxxxxx", "xxxxxxxxxxxx")

or die("Couldn't connect.");

$db = @mysql_select_db($db_name, $connection)

or die("Couldn't select database.");

function db_errno($args=array()) {

return @mysql_errno();

}
function db_error($args=array()) {

return @mysql_error();

}
?>


 

 

 

 

Other code snippets with MySQL functions:

 

3) 

 



<?php
session_start();

include ("body_form.php");
include ("functions.php");
include ("config.php");

//some code here........

$sql = "SELECT * FROM
review_items
WHERE
item_id = $item_id";

$sql_result = mysql_query($sql)
or die(sprintf("Couldn't execute query, %s: %s", db_errno(), db_error()));

while ($row = mysql_fetch_array($sql_result)) {
$item_name = stripslashes($row["item_name"]);
$item_desc = stripslashes($row["item_desc"]);
$item_type = stripslashes($row["item_type"]);
}
BodyHeader("Submit review for $item_name");
?>




 

4) (in this snippet, there is also another deprecated function - preg_replace())

 



<?php
session_start();

include ("body_form.php");
include ("functions.php");
include ("config.php");

//some code here........

//check user input and remove any reference to javascript.
$errjava = "<font color=red><BR><BR><B>No Javascript is allowed! Please click edit and remove the offending code.<BR><BR></B></font>";

$summary = preg_replace("'<script[^>]*?>.*?</script>'si", "$errjava", $summary);
$review = preg_replace("'<script[^>]*?>.*?</script>'si", "$errjava", $review);
$source = preg_replace("'<script[^>]*?>.*?</script>'si", "$errjava", $source);
$location = preg_replace("'<script[^>]*?>.*?</script>'si", "$errjava", $location);

//replace bad words
$sql_filter = "select badword, goodword
from review_badwords
";

$sql_result_filter = mysql_query($sql_filter)
or die(sprintf("Couldn't execute query, %s: %s", db_errno(), db_error()));

while ($filter = mysql_fetch_array($sql_result_filter)) {
$review = preg_replace('/'.$filter['badword'].'/i', $filter['goodword'], $review);
$summary = preg_replace('/'.$filter['badword'].'/i', $filter['goodword'], $summary);
$source = preg_replace('/'.$filter['badword'].'/i', $filter['goodword'], $source);
$location = preg_replace('/'.$filter['badword'].'/i', $filter['goodword'], $location);
}

$review = nl2br($review);


//set_magic_quotes_runtime(0);
BodyHeader("Confirm $item_name Review");
?>


 

 

5) Can mysql_format() be simply replaced with mysqli_format()?

 



$review = mysql_format($review);
$summary= mysql_format($summary);
$source = mysql_format($source);
$location = mysql_format($location);


 

Boy OP, you sure have made the forum rounds with this post. Anyways, for the sake of this forum, as I said in the other two forums, this is not a conversion. It will require a complete re-write which is not likely someone will do for free. As previously advised, you should post a "for hire" if you need this done. The only other real option is to make an attempt to learn what to do and we can help when you get stuck.

Boy OP, you sure have made the forum rounds with this post. Anyways, for the sake of this forum, as I said in the other two forums, this is not a conversion. It will require a complete re-write which is not likely someone will do for free. As previously advised, you should post a "for hire" if you need this done. The only other real option is to make an attempt to learn what to do and we can help when you get stuck.

I would like to learn what to do. Could you point me out to the code in my code snippets, which needs to be re-written?

I would like to learn what to do. Could you point me out to the code in my code snippets, which needs to be re-written?

 

Well, pretty much all of it which is why I said it needs a re-write. Generally, re-write means write the code from the ground up from a blank page. What you are thinking would be considered updating the script.

 

If you would like to attempt this on your own, you will need to study the PDO tutorial I gave you on the other forum. Once you learn that, then you can start making an attempt to write this script. https://phpdelusions.net/pdo

 

There are many problems besides just the obsolete mysql_* code. I personally do not mess with Mysqli so someone else will need to guide you if you decide to use it. If you want to use PDO as you should, I will be happy to help you along in the forum and privately if need be.

 

FYI: You have posted this to at least 5 forums. I suggest you stick to this one (phpfreaks). This forum has by far the most knowledgeable experts than any of the others. It is also frowned upon to cross-post the same question on multiple forums.

Edited by benanamen

...

 

FYI: You have posted this to at least 5 forums. I suggest you stick to this one (phpfreaks). This forum has by far the most knowledgeable experts than any of the others. It is also frowned upon to cross-post the same question on multiple forums.

benanamen, I did that to receive as many different opinions and ideas for guidance as possible and possibly actual modifications of my code snippets. As you can see, on some forums I got at least a few replies. On other forums, including this one, I've got no practical suggestions concerning my code. From you, I receive the same statement over and over: this script is all wrong. I seriously don't understand what is wrong with it? Can you point me to the flaws in the script? The script has been working so far, and I only wanted to upgrade MySQL to MySQLi for now so that my review pages remain afloat before I do real re-write. For that, I need to learn PHP. Without any basic knowledge, I can't even comprehend anything in the PDO tutorial you referred me to.

  • 2 weeks later...

It took me a few days to modify my old script and fix all errors shown in the PHP code checker, but now the script works just fine! And I didn't have to re-write it completely. All I had to do was to establish a MySQLi link to a database and then replace all MySQL functions with their MySQLi equivalents according to the PHP Manual. I did it with help from good people on other forums, and it was not a very difficult task even for a noob like myself! The problem was solved!

Edited by requinix
slight edit
Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.