Pseudo Prepared Statements for mysql_

Dev Shed Forums Sponsor:

January 21st, 2013, 08:01 AM

Northie

Square Peg in a Round Hole

Join Date: Oct 2007

Location: North Yorkshire, UK

Posts: 3,419

Time spent in forums: 3 Weeks 5 Days 10 h 15 m 39 sec
Reputation Power: 3896

Pseudo Prepared Statements for mysql_

There's been a lot of talk recently about the older mysql_* functions within PHP.

The main gripe from those telling others not to use it is down to security.

I've dug out an old bit of code which attempts to emulate prepared statements for the mysql_query fuction:

php Code:

Original - php Code

 
<?php
 
function mysql_prepared_query ($sql,$args=false,$con=false) {
    if($args) {
        if(is_array($args)) {
            $find = $replace = array();
            foreach($args as $key => $val) {
                $find[] = ":".$key;
                if($con) {
                    $replace[] = "'".mysql_real_escape_string($val,$con)."'";
                } else {
                    $replace[] = "'".mysql_real_escape_string($val)."'";
                }
            }
            
            $sql = str_replace($find,$replace,$sql);
            
        } else {
            throw new Exception('If $args is supplied then it must be an array, '.gettype($args).' supplied');
        }
    }
    
    //for debugging, comment out in production
    return $sql;
    
    if($con) {
        return mysql_query($sql,$con);
    }
    
    return mysql_query($sql);
}
 
$sql = "
    SELECT
        *
    FROM
        `table`
    WHERE
        `name` LIKE :name;
        OR
        `class` = :class
    ;
";
 
$args['name'] = '%Northie%';
$args['class'] = 'User';
 
//debug
echo mysql_prepared_query($sql,$args);
 
$sql = "
    SELECT
        *
    FROM
        `table`
    WHERE
        `name` = :name;
    ;
";
//debug
echo mysql_prepared_query($sql,'Northie');

__________________
PHP OOPS! <?php DB::Execute(SQL::makeFrom($_GET))->fetchArray()->FormatWith(Template::getInstance('default'))->printHtml(); ?>

PDO vs mysql_* functions: Find a Migration Guide Here

[ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]

January 21st, 2013, 11:04 AM

Jacques1

pollyanna

Join Date: Jul 2012

Location: Germany

Posts: 1,863

Time spent in forums: 1 Month 2 Weeks 1 Day 19 h 44 m 40 sec
Reputation Power: 813

Hi,

well, I don't really see the point of "emulating" prepared statements. I mean, if people are willing to rewrite their whole database code, they should rather choose "the real thing" and use PDO/MySQLi. Why should they take this intermediate step just to replace everything again in a few years?

January 21st, 2013, 11:19 AM

requinix

Still alive

Join Date: Mar 2007

Location: Washington, USA

Posts: 12,698

Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1

Time spent in forums: 5 Months 1 Week 4 Days 4 h 53 m
Reputation Power: 8969

Send a message via Google Talk to requinix

Adding a new function and trying to use it in new/touched code doesn't sound like "rewriting their whole database code" to me.
It's not always fair to ask people to redo everything: there are a number of reasons why that might not be an option. If functions like this get them one step closer to doing it, or even if not but they realize this is more secure than what they have now, then I say it's worth it.

__________________
Site rules and FAQ | Project Suggestions | mod_rewrite guide | PHP New User Guide and FAQ - PHP Stickies | Regex Resources

January 21st, 2013, 05:30 PM

E-Oreo

Lost in code

Join Date: Dec 2004

Posts: 7,931

Folding Points: 945 Folding Title: Novice Folder

Time spent in forums: 2 Months 7 h 48 m 54 sec
Reputation Power: 7053

It's a useful little function, no doubt, but if the goal is to ease the transition into PDO or MySQLi it seems like it would be better build an interface that matches the API used by PDO / MySQLi - ie with prepare and execute. That way if they ever do actually decide to fully convert to the superior interfaces they won't have to rewrite as much code using your compatibility layer.

Also it's worth noting that the behavior of this function is not fully compatible with real prepared statements. It serves the same purpose as far as security goes, but this function allows things that normal prepared statement would not.

I think a bigger problem with the MySQL extension is that it's deprecated and slow. It's not actually that difficult to write secure code using them, as you've demonstrated.

Comments on this post

ManiacDan agrees: "I think a bigger problem with the MySQL extension is that it's deprecated and slow" <-- that

__________________
PHP FAQ
How to program a basic, secure login system using PHP

Quote:

Originally Posted by Spad

Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around

Pseudo Prepared Statements for mysql_

Developer Shed Advertisers and Affiliates