Question about the DB class

Ask about a PHP problem here.
Post Reply
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Question about the DB class

Post by EcazS »

This must be a really stupid question but since I'm just starting out with all this "OOP" and I don't understand much of it (yet) I was just wondering how I use the DB class that is on BetterPHP github

If you're lazy then here it is,
[syntax=php]<?php

/*
*
* Handles mysql connections and queries.
*
*/

class mysql {

private $link = null;
private $result = null;

// connects to the database.
public function __construct($server, $user, $pass, $db){
$this->link = mysql_pconnect($server, $user, $pass);
mysql_select_db($db, $this->link);

if (is_callable('get_magic_quotes_gpc') && get_magic_quotes_gpc() === 1){
foreach ($_GET as &$value) $value = stripslashes($value);
foreach ($_POST as &$value) $value = stripslashes($value);
foreach ($_COOKIE as &$value) $value = stripslashes($value);
}
}

// escapes any control character in the input.
public function escape(&$var, $return = false){
$var = mysql_real_escape_string($var, $this->link);

if ($return) return $var;
}

// performs the given SQL query.
public function query($sql){
$this->result = mysql_query($sql, $this->link);
}

// same as above but unbuffered.
public function ub_query($sql){
$this->result = mysql_unbuffered_query($sql, $this->link);
}

// fetches a row following a query.
public function fetch(&$row){
$row = mysql_fetch_assoc($this->result);

return ($row !== false);
}

// same as above but returns an array of rows.
public function fetch_array(){
$results = array();

while ($this->fetch($row)){
$results[] = $row;
}

return $results;
}

// fetches a single cell.
public function fetch_cell(&$result){
$result = mysql_result($this->result, 0);

return ($result !== false);
}

// fetches the last auto_increment number.
public function fetch_last_id(&$id){
$id = mysql_insert_id($this->link);
}

}

?>[/syntax]

I might have an idea on how to connect but not sure about the rest, like inserting, fetching and all that... :?
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about the DB class

Post by jacek »

Commented example...

[syntax=php]// connect and select db, these parameters are passed to the __contruct function.
$mysql = new mysql('127.0.0.1', 'example_user', 'example_pass', 'database_name');

// perform a simple query to select some data.
$mysql->query('SELECT `name` FROM `users`');

// loop over that result outputting the data.
while ($mysql->fetch($row)){
echo $row['name'], '<br />';
}[/syntax]
Image
libeco
Posts: 104
Joined: Sat May 07, 2011 9:56 am

Re: Question about the DB class

Post by libeco »

You first include the file into your file, than instantiate the class (make it a usable object inside your file with something like [syntax=php]$class = new mysql($server, $user, $pass, $db);[/syntax]
I'm not sure who wrote the class, but generally the convention is to start class names with a capital letter.

After that you can just call the methods inside the public class:
[syntax=php]$class->query($sql);[/syntax]
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about the DB class

Post by jacek »

libeco wrote:I'm not sure who wrote the class, but generally the convention is to start class names with a capital letter.

I wrote it... And that would make no difference at all :?
Image
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Re: Question about the DB class

Post by EcazS »

Thanks to both of you :) I was right about connecting but not about the sql part :lol:

Thaaanks!
libeco
Posts: 104
Joined: Sat May 07, 2011 9:56 am

Re: Question about the DB class

Post by libeco »

jacek wrote:
libeco wrote:I'm not sure who wrote the class, but generally the convention is to start class names with a capital letter.

I wrote it... And that would make no difference at all :?


For usage, no, it wouldn't. However, I'm pretty sure that class names are one of the places where everybody agrees it should start with a capital letter. Some conventions here:
http://news.php.net/php.standards/2
http://framework.zend.com/manual/en/cod ... tions.html
http://pear.php.net/manual/en/standards.classdef.php
http://www.horde.org/apps/horde/docs/CO ... efinitions
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about the DB class

Post by jacek »

libeco wrote:However, I'm pretty sure that class names are one of the places where everybody agrees it should start with a capital letter.

It makes no difference at all. If you are that bothered you can fork the repo and change it.

I am not going to change the way I name things just because it's convention, if there was a functional reason to I would but just because it's how some people prefer to do it is not enough ;)
Image
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Re: Question about the DB class

Post by EcazS »

If I wanna use the escape function how do I do that?
[syntax=php]
$mysql->escape(&$msg);
[/syntax]
That's not right, do I need the return = false in there? And what does the &-sign do? :?
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about the DB class

Post by jacek »

EcazS wrote:And what does the &-sign do? :?

It means pass by reference. So anything that is done do the variable by the escape() function will affect the variable outside of the function. the best way to think of it is probably in contrast to the way this works normally, so

[syntax=php]function set_value($var){
$var = 'value';
}

$var = 'something';

set_value($var);

echo $var;[/syntax]
Would output "something", but

[syntax=php]function set_value(&$var){
$var = 'value';
}

$var = 'something';

set_value($var);

echo $var;[/syntax]
Would output "value"

And you only need to use the & in the function definition.

So if you have the variable $email to escape it you just do

[syntax=php]$mysql->escape($email);[/syntax]
The return parameter is in case you also need to set the escaped value to a new variable e.g.

[syntax=php]$email = $mysql->escape($_POST['email'], true);[/syntax]
Image
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Re: Question about the DB class

Post by EcazS »

Ooh... alright, makes sense now.

I'm guessing I can enclose this in htmlentities,
[syntax=php]$email = $mysql->escape($_POST['email'], true);[/syntax]
without any problems...

Also, just out of general curiosity, mysql_real_escape_string helps against SQL injections, right?
Well is there something I could just try out to see if it really works. Right now I'm just inserting information but I'd like to make sure it really works :P
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Re: Question about the DB class

Post by EcazS »

Yet another question...sorry :|

Say I wanted to use mysql_num_rows on a query, how would I do that? I tried doing this,
[syntax=php]
$result = $mysql->query("SELECT `name`, `email`, `body`, `date` FROM `messages` WHERE `read` = 0");
$num = mysql_num_rows($result);
[/syntax]
but that gives me mysql_num_rows() expects parameter 1 to be resource, null given in blablabla.
However when I do it with "normal/plain" PHP it works fine, so I'm guessing I can't do it the way I've done it...
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about the DB class

Post by jacek »

EcazS wrote:Also, just out of general curiosity, mysql_real_escape_string helps against SQL injections, right?

No, it adds a \ before any character that has meaning.

EcazS wrote:Well is there something I could just try out to see if it really works. Right now I'm just inserting information but I'd like to make sure it really works :P

Try to insert something that has a ' in it, if you get an SQL error you are vulnerable to sql injection.

EcazS wrote:but that gives me mysql_num_rows() expects parameter 1 to be resource, null given in blablabla.

Because the query() method does not return a mysql query result, you need to use the internal num_rows method

[syntax=php]$mysql->query($sql);
$mysql->num_rows($rows);

echo $rows;[/syntax]
Which I don't think actually exists in the one on github.
Image
User avatar
EcazS
Posts: 789
Joined: Fri May 06, 2011 5:29 pm

Re: Question about the DB class

Post by EcazS »

jacek wrote:No, it adds a \ before any character that has meaning.


Try to insert something that has a ' in it, if you get an SQL error you are vulnerable to sql injection.

So it does help against sql injection... since it escapes the ' o_O


It's not in the github one :(
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Question about the DB class

Post by jacek »

EcazS wrote:So it does help against sql injection... since it escapes the ' o_O

Yes, but it is not a magic function to protect all queries. It just escapes ;)

EcazS wrote:It's not in the github one :(

[syntax=php]public function num_rows(&$rows){
$rows = mysql_num_rows($this->result);
}[/syntax]

;)
Image
Post Reply