1
MS-2001
xoopsDB Object
  • 2005/9/7 13:25

  • MS-2001

  • Quite a regular

  • Posts: 204

  • Since: 2004/7/27


I've got a question concerning the xoopsDB object. Sometimes I've got the problem that a query's just not working.

e.g:
$xoopsDB->query("UPDATE ".$xoopsDB->prefix("users_gal")." SET visit_count = visit_count + 1, visit_lastip='".$_SERVER['REMOTE_ADDR']."' WHERE pid=$pid");

There is no update after executing the file. Using MySQL directly

mysql_query("UPDATE ".$xoopsDB->prefix("users_gal")." SET visit_count = visit_count + 1, visit_lastip='".$_SERVER['REMOTE_ADDR']."' WHERE pid=$pid");

it works. So why??

2
kaotik
Re: xoopsDB Object
  • 2005/9/7 13:37

  • kaotik

  • Just can't stay away

  • Posts: 861

  • Since: 2004/2/19


I always use this format which works for me:
$query "Insert into ".$xoopsDB->prefix("xoops_table")." (table_field) values ('$value')";
$res=$xoopsDB->query($query);
    if(!
$res) {
        echo 
"error: $query";
    }
www.kaotik.biz

3
MS-2001
Re: xoopsDB Object
  • 2005/9/7 13:44

  • MS-2001

  • Quite a regular

  • Posts: 204

  • Since: 2004/7/27


Sorry, but that's same, isn't it?
And neither the insert nor the update command needs a result var or am I wrong again?

4
Antoine
Re: xoopsDB Object
  • 2005/9/7 13:53

  • Antoine

  • Friend of XOOPS

  • Posts: 112

  • Since: 2004/11/14


XoopsDB doesn't execute command queries when the calling page reads $_GET variables as a security measure.

In this case $xoopsDB->query() does allways return true so it SEEMS like the query executed fine.
If you are aware that you are running a security risk and have taken utmost care to sanitise these $_GET vars you can call $xoopsDB->queryF() to make the changes anyways.

Talking about sanitising values:
Allways try to quote non-integer values using $xoopsDB->quoteString() and make sure any integer you include doesn't contain SQL-injection instructions e.g.:

if (intval($pid) <= 0)
    die(
"Illegal parameter value (pid)");
$xoopsDB->query("UPDATE ".$xoopsDB->prefix("users_gal")." SET visit_count = visit_count + 1, visit_lastip='".$xoopsDB->quoteString($_SERVER['REMOTE_ADDR'])."' WHERE pid=$pid");

5
MS-2001
Re: xoopsDB Object
  • 2005/9/7 14:18

  • MS-2001

  • Quite a regular

  • Posts: 204

  • Since: 2004/7/27


Ah ok. I didn't know that ($_GET). But now it's clear. Your Query doesn't work anyway. Without the quoteString Function it works (I think because of the two ' you got then. ' + ' = "" (nothing).

Thanks for your help.

But another Question: What could happen when I wouldn't use:

if (intval($pid) <= 0)
die("Illegal parameter value (pid)");

???

6
Antoine
Re: xoopsDB Object
  • 2005/9/7 14:21

  • Antoine

  • Friend of XOOPS

  • Posts: 112

  • Since: 2004/11/14


Hmm, yeah sorry, that should be:
if (intval($pid) <= 0)
    die(
"Illegal parameter value (pid)");
$xoopsDB->query("UPDATE ".$xoopsDB->prefix("users_gal")." SET visit_count = visit_count + 1, visit_lastip=".$xoopsDB->quoteString($_SERVER['REMOTE_ADDR'])." WHERE pid=$pid");


Quote:

What could happen when I wouldn't use:

if (intval($pid) <= 0)
die("Illegal parameter value (pid)");

???


If you read $pid from a GET, POST or COOKIE one could set
$pid to something like (not that great on hacking, so might not exectly work like that) "1; INSERT INTO xoops_users_link (groupid, uid) VALUES (1, my_uid)" which should effectively make you an admin on the site.

7
MS-2001
Re: xoopsDB Object
  • 2005/9/7 14:23

  • MS-2001

  • Quite a regular

  • Posts: 204

  • Since: 2004/7/27


I know. But in case of the remote adress it's senseless, isn't it?

What about my other question?

8
Antoine
Re: xoopsDB Object
  • 2005/9/7 14:32

  • Antoine

  • Friend of XOOPS

  • Posts: 112

  • Since: 2004/11/14


I believe that $_SERVER['REMOTE_ADDR'] is sent in the header by the client's browser and is therefore 100% spoofable. See my updated reply above for the answer to your other question.

EDIT: Looked it up on php.net, $_SERVER['REMOTE_ADDR'] seems safe enough, but it still is good practice to use quoteString.

9
MS-2001
Re: xoopsDB Object
  • 2005/9/7 15:50

  • MS-2001

  • Quite a regular

  • Posts: 204

  • Since: 2004/7/27


In which case should i use quotestring?

10
Antoine
Re: xoopsDB Object
  • 2005/9/7 17:30

  • Antoine

  • Friend of XOOPS

  • Posts: 112

  • Since: 2004/11/14


I'd pretty much use it whenever you need to include a quoted variable in a query. So basically for all variables except integers.

Login

Who's Online

166 user(s) are online (94 user(s) are browsing Support Forums)


Members: 0


Guests: 166


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits