Bravo List
Register
Go Back   > Bravo List > Source Code > Active Trackers > Torrent Trader
Reply
  #1  
Old 12th December 2021, 17:13
JohnHasher JohnHasher is offline
Coder
 
Join Date: Apr 2020
P2P
Posts: 62
Default SQL prepared statement for TT
now you can use prepared statements to avoid sql injection for people who still use mysqli instead of PDO.



find and replace the code

change following in mysql.class.php


PHP Code:
function &SQL_Query_exec ($query,$bind '',$iden '') {
    
$sql = new SQL_Query($query,$bind,$iden);
    return 
$sql->execute();
}

class 
SQL_Query {
     private 
$query "";
    private 
$params = array();
    private 
$bind;
    function &
__construct ($query,$bind,$iden) {
        
$this->query $query;
        
$this->bind $bind;
        
$this->iden $iden;
        return 
$this;
    }
    function &
($param) {
        if (
is_numeric($param)) {
            
$this->params[] = $param;
        } elseif (
is_array($param)) {  
          
$this->params[] = implode(", "array_map(array(&$this"escape"), $param)); 
       } else {            
$this->params[] = $this->escape($param);        }        return $this;    }

    function &
p_name ($param) {
        
$this->params[] = "`".$GLOBALS["DBconnector"]->real_escape_string($param)."`";
        return 
$this
   } 
   function 
escape ($s) { 
       if(
is_numeric($s)){
            return 
$s
       }else{
        return 
"'".$GLOBALS["DBconnector"]->real_escape_string($s)."'";
        }    }
    function 
read () { 
       
$ret ""
       if (
count($this->params)) {
            
reset($this->params); 
           for (
$i 0$i strlen($this->query); $i++) {
                if (
$this->query[$i] == "?") {
                    list(, 
$val) = thisEach($this->params); 
                   
$ret .= $val;
                } else {
                    
$ret .= $this->query[$i];
                }            }
            
reset($this->params);
        } else {
            
$ret $this->query;
        }
        return 
$ret;
    }

    function &
execute() {
        global 
$db_debug
       
$par $this->bind//in array 
       
if(empty($par)){
        
$query $this->read();
        
$res $GLOBALS["DBconnector"]->query($query);
        }else{            
$query $this->query;
            
$iden $this->iden;
            
$stmt $GLOBALS["DBconnector"]->prepare($query);
            if(empty(
$iden)){
            
$iden str_repeat("s",count($par));
            }else{            }
            
$stmt->bind_param($iden, ...$par);
            
$stmt->execute();
            
$res $stmt ->get_result();
        }
        
$mysqli_error $GLOBALS["DBconnector"]->error;
         
$mysqli_errno $GLOBALS["DBconnector"]->errno;
        if (
$res || $mysqli_errno == 1062) {            return $res;        }        // If debug_backtrace() is available, we can find exactly where the query was called from
        
if (function_exists("debug_backtrace")) {
            
$bt debug_backtrace(); 
           
$i 1;
            if (
$bt[$i]["function"] == "SQL_Query_exec_cached" || $bt[$i]["function"] == "get_row_count_cached" || $bt[$i]["function"] == "get_row_count")
                
$i++; 
           
$line $bt[$i]["line"];
            
$file str_replace(getcwd().DIRECTORY_SEPARATOR""$bt[$i]["file"]);
            
$msg "Database Error in $file on line $line$mysqli_error. Query was: $query.";
        } else {
            
$file str_replace(getcwd().DIRECTORY_SEPARATOR""$_SERVER["SCRIPT_FILENAME"]);
            
$msg "Database Error in $file$mysqli_error. Query was: $query";
        } 
       
$GLOBALS["DBconnector"]->query("INSERT INTO `sqlerr` (`txt`, `time`) VALUES (".sqlesc($msg).", '".get_date_time()."')");
       
// mysqli_query($GLOBALS["DBconnector"],"INSERT INTO `sqlerr` (`txt`, `time`) VALUES (".sqlesc($msg).", '".get_date_time()."')");
    
if($db_debug=="true"){
        if ( 
function_exists('show_error_msg') ){             show_error_msg("Database Error""Database Error. Please report this to an administrator."1);            }
    }
}


replace the old mysqli procedural to Object Oriented

FILE : functions.php

PHP Code:
    function_exists("mysqli_connect") or die("MySQLi support not available.");
    
$GLOBALS["DBconnector"] = new mysqli($mysql_host$mysql_user$mysql_pass,$mysql_db);    // Check connection
    
if ($GLOBALS["DBconnector"]->connect_error) { 
       die(
"Connection failed: " $GLOBALS["DBconnector"]->connect_error);
    } 

how to use:
PHP Code:
$q SQL_Query_exec("SELECT username FROM users WHERE id=?",['1']); 
remember parameters should be in array, even for 1 parameter.


default identifier is string,if you like to mention any other identifier like integer.
PHP Code:
$q SQL_Query_exec("SELECT username FROM users WHERE id=?",['1'],"i"); 
for multiple identifier: example "iii"; (means 3 identifiers for 3 parameters)



greetings to people who helped me
__________________
i do custom mods in xbtitfm and torrenttrader for $$, PM me for details.

Last edited by JohnHasher; 12th December 2021 at 17:41.
Reply With Quote
  #2  
Old 15th December 2021, 20:21
MicroMonkey's Avatar
MicroMonkey MicroMonkey is offline
Senior Member
 
Join Date: Jun 2016
P2P
Posts: 52
Default
we eliminated the need for thisEach()....(thanks to m-jay). You can check github for updates if it helps your project along. Thanks for the code. https://github.com/MicrosoulV3/TorrentTrader-v3. Feel free to help out if you want to, over at torrenttrader.uk. New ideas are always good. Hope you have a good day :)
Quote:
function read () {
$ret = "";
if (count($this->params)) {
reset($this->params);
for ($i = 0; $i < strlen($this->query); $i++) {
if ($this->query[$i] == "?") {
$val = current($this->params); //new var to replace thisEach
next($this->params); //new var to replace thisEach
$ret .= $val;
} else {
$ret .= $this->query[$i];
}
}
reset($this->params);
} else {
$ret = $this->query;
}
return $ret;
}
__________________
More torrenttrader stuff at https://torrenttrader.uk

Last edited by MicroMonkey; 15th December 2021 at 20:41.
Reply With Quote
  #3  
Old 17th December 2021, 15:22
JohnHasher JohnHasher is offline
Coder
 
Join Date: Apr 2020
P2P
Posts: 62
Default
yeah sure
__________________
i do custom mods in xbtitfm and torrenttrader for $$, PM me for details.
Reply With Quote
  #4  
Old 17th December 2021, 16:06
xblade's Avatar
xblade xblade is offline
Cod3r
 
Join Date: Nov 2020
P2P
Posts: 239
Default
You do know there is a easy of doing this without the above
Reply With Quote
  #5  
Old 17th December 2021, 20:28
JohnHasher JohnHasher is offline
Coder
 
Join Date: Apr 2020
P2P
Posts: 62
Default
easy how?
__________________
i do custom mods in xbtitfm and torrenttrader for $$, PM me for details.
Reply With Quote
  #6  
Old 18th December 2021, 05:46
BamBam0077 BamBam0077 is offline
Banned
 
Join Date: Jul 2013
P2P
Posts: 410
Default
Explain more please is this so I can start updating to use MYSQLi over MySQL ? little bit confused :P

SQL_Query_exec($GLOBALS["DBconnector"], $query) or mysqli_error(__file__, __line__);
Reply With Quote
  #7  
Old 18th December 2021, 08:33
JohnHasher JohnHasher is offline
Coder
 
Join Date: Apr 2020
P2P
Posts: 62
Default
SQL_Query_exec(QUERY,PARAMETER,IDENTIFIER);
IF YOU DIDN'T MENTION ANY IDENTIFIER, DEFAULT IS STRING.


THIS UPDATE IS FOR PEOPLE WHO USE MYSQLI INSTEAD OF PDO.


YOU CAN EITHER USE PREPARED STATEMENTS (FOR COMPLETE PROTECTION AGAINST SQL INJECTION) OR NORMAL QUERY
__________________
i do custom mods in xbtitfm and torrenttrader for $$, PM me for details.
Reply With Quote
  #8  
Old 18th December 2021, 21:13
xblade's Avatar
xblade xblade is offline
Cod3r
 
Join Date: Nov 2020
P2P
Posts: 239
Default
Quote:
Originally Posted by BamBam0077 View Post
Explain more please is this so I can start updating to use MYSQLi over MySQL ? little bit confused :P

SQL_Query_exec($GLOBALS["DBconnector"], $query) or mysqli_error(__file__, __line__);

you will be its not true msqli
you do not need this part as well
(__file__, __line__);

Last edited by xblade; 18th December 2021 at 23:00.
Reply With Quote
  #9  
Old 19th December 2021, 00:33
MicroMonkey's Avatar
MicroMonkey MicroMonkey is offline
Senior Member
 
Join Date: Jun 2016
P2P
Posts: 52
Default
ummm, mysqli_error does require that like this for precedural, but feel free to change it to OOP. I think thats what the OP was posting about anyways. I have no idea where bambam got that code from

mysqli_error($GLOBALS["DBconnector"])
__________________
More torrenttrader stuff at https://torrenttrader.uk

Last edited by MicroMonkey; 19th December 2021 at 21:48.
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT +2. The time now is 23:02. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.