Hi guys.

I am using this custom mysql query function, for two current purposes:
1) To send an error report if the query fails (and show a nice message - yep, there's controls to ensure the same error isn't submitted twice to avoid floods)
2) To count the amount of SQL queries on each page

function mysql_custom($sql)
{
  $GLOBALS['queryCount']++;

  if ($res = mysql_query($sql)) {
    return $res;
  } else {
    // We send an error report here if it fails, and display a nice error
  }
}

I was wondering however, as I use mysql_real_escape_string() on pretty much every $POST and $GET throughout my site that has any SELECT, UPDATE, INSERT, DELETE sql query... could I make that above function do it instead? That way I can get rid of tonnes of code from my individual.php functions and let that simple function do it itself?

Just wondering,if it can be done, what's the best method?

Thanks!

    Doing it in that function would be difficult.

    You could write a function to loop thru $POST and $GET and use mysql_real_escape_string() to clean all the input.

      Hi there, okay, thanks...

      How about this?

      function mysql_clean($value)
{
    $value = is_array($value) ?
                array_map('mysql_clean', $value) :
                mysql_real_escape_string($value);

return $value;
}



function mysql_custom($sql) 
{ 
  $GLOBALS['queryCount']++; 

  $_POST = array_map('mysql_clean', $_POST);
  $_GET = array_map('mysql_clean', $_GET);

  if ($res = mysql_query($sql)) { 
    return $res; 
  } else { 
    // We send an error report here if it fails, and display a nice error 
  } 
}

        The mysql_clean() function is good, but you don't want to call it every time you do a query. Just run it when the script first starts.

          Ah yeah! 🙂

          Do you think this should work fine... if so, I'll work on getting rid of them from my actual SQL queries throughout the site

          Thanks again

            Looks ok at a glance
            To run it you just need to do

            mysql_clean($_POST);

              One potential issue is that you may not necessarily want to escape every value in the super-global arrays, as not every value is necessarily only going to be used in MySQL queries. One approach would be to copy the array to a $sqlSafe array (or whatever useful name you'd like to use), then apply your function to that.

              However, my preferred solution is to use the MySQLi extension and use prepared queries with bound parameters, and simply not have to do any explicit escaping of such data.

                HalfaBee wrote:

                Doing it in that function would be difficult.

                What's difficult or wrong with this??

                function mysql_custom($sql)
{
  $GLOBALS['queryCount']++;
  $clean_sql = mysql_real_escape_string($sql);
  if ($res = mysql_query($clean_sql)) {
    return $res;
  } else {
    // We send an error report here if it fails, and display a nice error
  }
}

                I guess if you want to use the cleaned version of the variables outside of this function, you would need to use a different way, as you suggested; but if you only want to make sure that the query being passed to MySQL is cleaned, wouldn't we be able to just do that after the whole query string has been formed?

                  sorry if I came across as a smart@$$... I'm just curious to see if there is a problem with doing it that way?

                    Write a Reply...