#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2009
    Posts
    75
    Rep Power
    5

    [Q] Help with mysql query regex


    I have some functions to pass the query args safely
    for example i use it like:
    query_this($query, $nickname);
    by replacing the %s as a placeholder for strings and %d for int args
    but the problem if the args contain an %s or %d it get matched!

    here is a simple thing
    $string ="select * from students where name like '%samy%' or nickname like '%s';";
    preg_match_all("{(%d|%s|%%|%f|%b|%n)}is", $string, $matches);
    print_r($matches);

    it matches the two '%s (in '%samy and like '%s'
    I do not want to match the %s that is a part of a word
    thanks
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,958
    Rep Power
    9397
    Redo your logic so this won't happen.

    Besides, it's much easier to use prepared statements in mysqli or PDO because they handle all this work for you. And they do it better.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2009
    Posts
    75
    Rep Power
    5
    thanks, can you help with the regex pattern ?
  6. #4
  7. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,958
    Rep Power
    9397
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2009
    Posts
    75
    Rep Power
    5
    Sure, as much as I understand it
    I' already have db class, this func is inside method, I can't figure any easy way to perform query safely if you have an example plz
  10. #6
  11. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,958
    Rep Power
    9397
    There isn't really any "safe" way to do this that I can see. For example, you could say "%s not followed by a letter" but then %s% would still be replaced.

    Prepared statements are the best way to do this because they take into account the syntax of SQL and the structure of a query. It's not reasonable to make your own code do that.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2009
    Posts
    75
    Rep Power
    5
    Thanks again, can you guide me where to read more about Prepared statements, plz?
    I just want to say my class was used in drupal or inspired from drupal structure
    Thanks again
  14. #8
  15. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,958
    Rep Power
    9397
    If you're used to the mysql extension and mysql_* functions then this can help you move to PDO. Don't worry, it's really easy to use.

IMN logo majestic logo threadwatch logo seochat tools logo