Page 1 of 1

Question about the DB class

Posted: Thu Jun 02, 2011 6:38 pm
by EcazS
This must be a really stupid question but since I'm just starting out with all this "OOP" and I don't understand much of it (yet) I was just wondering how I use the DB class that is on BetterPHP github

If you're lazy then here it is,
<?php

/*
 *
 *		Handles mysql connections and queries.
 *
 */

class mysql {

	private $link		= null;
	private $result		= null;

	// connects to the database.
	public function __construct($server, $user, $pass, $db){
		$this->link = mysql_pconnect($server, $user, $pass);
		mysql_select_db($db, $this->link);

		if (is_callable('get_magic_quotes_gpc') && get_magic_quotes_gpc() === 1){
			foreach ($_GET as &$value) $value = stripslashes($value);
			foreach ($_POST as &$value) $value = stripslashes($value);
			foreach ($_COOKIE as &$value) $value = stripslashes($value);
		}
	}

	// escapes any control character in the input.
	public function escape(&$var, $return = false){
		$var = mysql_real_escape_string($var, $this->link);

		if ($return) return $var;
	}

	// performs the given SQL query.
	public function query($sql){
		$this->result = mysql_query($sql, $this->link);
	}

	// same as above but unbuffered.
	public function ub_query($sql){
		$this->result = mysql_unbuffered_query($sql, $this->link);
	}

	// fetches a row following a query.
	public function fetch(&$row){
		$row = mysql_fetch_assoc($this->result);

		return ($row !== false);
	}

	// same as above but returns an array of rows.
	public function fetch_array(){
		$results = array();

		while ($this->fetch($row)){
			$results[] = $row;
		}

		return $results;
	}

	// fetches a single cell.
	public function fetch_cell(&$result){
		$result = mysql_result($this->result, 0);

		return ($result !== false);
	}

	// fetches the last auto_increment number.
	public function fetch_last_id(&$id){
		$id = mysql_insert_id($this->link);
	}

}

?>
I might have an idea on how to connect but not sure about the rest, like inserting, fetching and all that... :?

Re: Question about the DB class

Posted: Thu Jun 02, 2011 7:37 pm
by jacek
Commented example...
// connect and select db, these parameters are passed to the __contruct function.
$mysql = new mysql('127.0.0.1', 'example_user', 'example_pass', 'database_name');

// perform a simple query to select some data.
$mysql->query('SELECT `name` FROM `users`');

// loop over that result outputting the data.
while ($mysql->fetch($row)){
    echo $row['name'], '<br />';
}

Re: Question about the DB class

Posted: Thu Jun 02, 2011 7:38 pm
by libeco
You first include the file into your file, than instantiate the class (make it a usable object inside your file with something like
$class = new mysql($server, $user, $pass, $db);
I'm not sure who wrote the class, but generally the convention is to start class names with a capital letter.

After that you can just call the methods inside the public class:
$class->query($sql);

Re: Question about the DB class

Posted: Thu Jun 02, 2011 7:40 pm
by jacek
libeco wrote:I'm not sure who wrote the class, but generally the convention is to start class names with a capital letter.
I wrote it... And that would make no difference at all :?

Re: Question about the DB class

Posted: Thu Jun 02, 2011 7:41 pm
by EcazS
Thanks to both of you :) I was right about connecting but not about the sql part :lol:

Thaaanks!

Re: Question about the DB class

Posted: Thu Jun 02, 2011 7:45 pm
by libeco
jacek wrote:
libeco wrote:I'm not sure who wrote the class, but generally the convention is to start class names with a capital letter.
I wrote it... And that would make no difference at all :?
For usage, no, it wouldn't. However, I'm pretty sure that class names are one of the places where everybody agrees it should start with a capital letter. Some conventions here:
http://news.php.net/php.standards/2
http://framework.zend.com/manual/en/cod ... tions.html
http://pear.php.net/manual/en/standards.classdef.php
http://www.horde.org/apps/horde/docs/CO ... efinitions

Re: Question about the DB class

Posted: Thu Jun 02, 2011 7:50 pm
by jacek
libeco wrote:However, I'm pretty sure that class names are one of the places where everybody agrees it should start with a capital letter.
It makes no difference at all. If you are that bothered you can fork the repo and change it.

I am not going to change the way I name things just because it's convention, if there was a functional reason to I would but just because it's how some people prefer to do it is not enough ;)

Re: Question about the DB class

Posted: Thu Jun 02, 2011 8:12 pm
by EcazS
If I wanna use the escape function how do I do that?
$mysql->escape(&$msg);
That's not right, do I need the return = false in there? And what does the &-sign do? :?

Re: Question about the DB class

Posted: Thu Jun 02, 2011 8:19 pm
by jacek
EcazS wrote:And what does the &-sign do? :?
It means pass by reference. So anything that is done do the variable by the escape() function will affect the variable outside of the function. the best way to think of it is probably in contrast to the way this works normally, so
function set_value($var){
    $var = 'value';
}

$var = 'something';

set_value($var);

echo $var;
Would output "something", but
function set_value(&$var){
    $var = 'value';
}

$var = 'something';

set_value($var);

echo $var;
Would output "value"

And you only need to use the & in the function definition.

So if you have the variable $email to escape it you just do
$mysql->escape($email);
The return parameter is in case you also need to set the escaped value to a new variable e.g.
$email = $mysql->escape($_POST['email'], true);

Re: Question about the DB class

Posted: Thu Jun 02, 2011 9:33 pm
by EcazS
Ooh... alright, makes sense now.

I'm guessing I can enclose this in htmlentities,
$email = $mysql->escape($_POST['email'], true);
without any problems...

Also, just out of general curiosity, mysql_real_escape_string helps against SQL injections, right?
Well is there something I could just try out to see if it really works. Right now I'm just inserting information but I'd like to make sure it really works :P

Re: Question about the DB class

Posted: Thu Jun 02, 2011 10:30 pm
by EcazS
Yet another question...sorry :|

Say I wanted to use mysql_num_rows on a query, how would I do that? I tried doing this,
$result = $mysql->query("SELECT `name`, `email`, `body`, `date` FROM `messages` WHERE `read` = 0");
$num = mysql_num_rows($result);
but that gives me mysql_num_rows() expects parameter 1 to be resource, null given in blablabla.
However when I do it with "normal/plain" PHP it works fine, so I'm guessing I can't do it the way I've done it...

Re: Question about the DB class

Posted: Fri Jun 03, 2011 11:14 am
by jacek
EcazS wrote:Also, just out of general curiosity, mysql_real_escape_string helps against SQL injections, right?
No, it adds a \ before any character that has meaning.
EcazS wrote:Well is there something I could just try out to see if it really works. Right now I'm just inserting information but I'd like to make sure it really works :P
Try to insert something that has a ' in it, if you get an SQL error you are vulnerable to sql injection.
EcazS wrote:but that gives me mysql_num_rows() expects parameter 1 to be resource, null given in blablabla.
Because the query() method does not return a mysql query result, you need to use the internal num_rows method
$mysql->query($sql);
$mysql->num_rows($rows);

echo $rows;
Which I don't think actually exists in the one on github.

Re: Question about the DB class

Posted: Fri Jun 03, 2011 11:43 am
by EcazS
jacek wrote: No, it adds a \ before any character that has meaning.


Try to insert something that has a ' in it, if you get an SQL error you are vulnerable to sql injection.
So it does help against sql injection... since it escapes the ' o_O


It's not in the github one :(

Re: Question about the DB class

Posted: Fri Jun 03, 2011 1:22 pm
by jacek
EcazS wrote:So it does help against sql injection... since it escapes the ' o_O
Yes, but it is not a magic function to protect all queries. It just escapes ;)
EcazS wrote:It's not in the github one :(
public function num_rows(&$rows){
    $rows = mysql_num_rows($this->result);
}
;)