Question about the DB class

[EcazS]

This must be a really stupid question but since I'm just starting out with all this "OOP" and I don't understand much of it (yet) I was just wondering how I use the DB class that is on BetterPHP github

If you're lazy then here it is,

<?php

/*
 *
 *		Handles mysql connections and queries.
 *
 */

class mysql {

	private $link		= null;
	private $result		= null;

	// connects to the database.
	public function __construct($server, $user, $pass, $db){
		$this->link = mysql_pconnect($server, $user, $pass);
		mysql_select_db($db, $this->link);

		if (is_callable('get_magic_quotes_gpc') && get_magic_quotes_gpc() === 1){
			foreach ($_GET as &$value) $value = stripslashes($value);
			foreach ($_POST as &$value) $value = stripslashes($value);
			foreach ($_COOKIE as &$value) $value = stripslashes($value);
		}
	}

	// escapes any control character in the input.
	public function escape(&$var, $return = false){
		$var = mysql_real_escape_string($var, $this->link);

		if ($return) return $var;
	}

	// performs the given SQL query.
	public function query($sql){
		$this->result = mysql_query($sql, $this->link);
	}

	// same as above but unbuffered.
	public function ub_query($sql){
		$this->result = mysql_unbuffered_query($sql, $this->link);
	}

	// fetches a row following a query.
	public function fetch(&$row){
		$row = mysql_fetch_assoc($this->result);

		return ($row !== false);
	}

	// same as above but returns an array of rows.
	public function fetch_array(){
		$results = array();

		while ($this->fetch($row)){
			$results[] = $row;
		}

		return $results;
	}

	// fetches a single cell.
	public function fetch_cell(&$result){
		$result = mysql_result($this->result, 0);

		return ($result !== false);
	}

	// fetches the last auto_increment number.
	public function fetch_last_id(&$id){
		$id = mysql_insert_id($this->link);
	}

}

?>

I might have an idea on how to connect but not sure about the rest, like inserting, fetching and all that...

[jacek]

Commented example...

// connect and select db, these parameters are passed to the __contruct function.
$mysql = new mysql('127.0.0.1', 'example_user', 'example_pass', 'database_name');

// perform a simple query to select some data.
$mysql->query('SELECT `name` FROM `users`');

// loop over that result outputting the data.
while ($mysql->fetch($row)){
    echo $row['name'], '<br />';
}

[libeco]

You first include the file into your file, than instantiate the class (make it a usable object inside your file with something like

$class = new mysql($server, $user, $pass, $db);

I'm not sure who wrote the class, but generally the convention is to start class names with a capital letter.

After that you can just call the methods inside the public class:

$class->query($sql);

[jacek]

I'm not sure who wrote the class, but generally the convention is to start class names with a capital letter.

I wrote it... And that would make no difference at all

[EcazS]

Thanks to both of you I was right about connecting but not about the sql part

Thaaanks!

[libeco]

I'm not sure who wrote the class, but generally the convention is to start class names with a capital letter.

I wrote it... And that would make no difference at all

For usage, no, it wouldn't. However, I'm pretty sure that class names are one of the places where everybody agrees it should start with a capital letter. Some conventions here:
http://news.php.net/php.standards/2
http://framework.zend.com/manual/en/cod ... tions.html
http://pear.php.net/manual/en/standards.classdef.php
http://www.horde.org/apps/horde/docs/CO ... efinitions

[jacek]

However, I'm pretty sure that class names are one of the places where everybody agrees it should start with a capital letter.

It makes no difference at all. If you are that bothered you can fork the repo and change it.

I am not going to change the way I name things just because it's convention, if there was a functional reason to I would but just because it's how some people prefer to do it is not enough

[EcazS]

If I wanna use the escape function how do I do that?

$mysql->escape(&$msg);

That's not right, do I need the return = false in there? And what does the &-sign do?

[jacek]

And what does the &-sign do?

It means pass by reference. So anything that is done do the variable by the escape() function will affect the variable outside of the function. the best way to think of it is probably in contrast to the way this works normally, so

function set_value($var){
    $var = 'value';
}

$var = 'something';

set_value($var);

echo $var;

Would output "something", but

function set_value(&$var){
    $var = 'value';
}

$var = 'something';

set_value($var);

echo $var;

Would output "value"

And you only need to use the & in the function definition.

So if you have the variable $email to escape it you just do

$mysql->escape($email);

The return parameter is in case you also need to set the escaped value to a new variable e.g.

$email = $mysql->escape($_POST['email'], true);

[EcazS]

Ooh... alright, makes sense now.

I'm guessing I can enclose this in htmlentities,

$email = $mysql->escape($_POST['email'], true);

without any problems...

Also, just out of general curiosity, mysql_real_escape_string helps against SQL injections, right?
Well is there something I could just try out to see if it really works. Right now I'm just inserting information but I'd like to make sure it really works

[EcazS]

Yet another question...sorry

Say I wanted to use mysql_num_rows on a query, how would I do that? I tried doing this,

$result = $mysql->query("SELECT `name`, `email`, `body`, `date` FROM `messages` WHERE `read` = 0");
$num = mysql_num_rows($result);

but that gives me mysql_num_rows() expects parameter 1 to be resource, null given in blablabla.
However when I do it with "normal/plain" PHP it works fine, so I'm guessing I can't do it the way I've done it...

[jacek]

Also, just out of general curiosity, mysql_real_escape_string helps against SQL injections, right?

No, it adds a \ before any character that has meaning.

Well is there something I could just try out to see if it really works. Right now I'm just inserting information but I'd like to make sure it really works

Try to insert something that has a ' in it, if you get an SQL error you are vulnerable to sql injection.

but that gives me mysql_num_rows() expects parameter 1 to be resource, null given in blablabla.

Because the query() method does not return a mysql query result, you need to use the internal num_rows method

$mysql->query($sql);
$mysql->num_rows($rows);

echo $rows;

Which I don't think actually exists in the one on github.

[EcazS]

No, it adds a \ before any character that has meaning.


Try to insert something that has a ' in it, if you get an SQL error you are vulnerable to sql injection.

So it does help against sql injection... since it escapes the ' o_O


It's not in the github one

[jacek]

So it does help against sql injection... since it escapes the ' o_O

Yes, but it is not a magic function to protect all queries. It just escapes

It's not in the github one

public function num_rows(&$rows){
    $rows = mysql_num_rows($this->result);
}