News:

Help! We're trapped in the computer, and the computer is trapped in 2008! Someone call the time police!

Main Menu

[php5] clsDB

Started by iago, August 28, 2006, 10:37:10 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

iago

At work we have a somewhat handy database class.  It was written as commercial code, so I wouldn't feel right using it in free apps.  So I wrote my own (improved, I'd say :)) version of it. 

Basically, it keeps an associative array representing the database, allowing you to load, save, and create an entry extremely easily. 

I wrote the database class, a settings file, and a demo file.  The demo file shows how to load, update, and insert entries, as well as how to query a list and count entries in a table and a few other things. 

This probably shouldn't be used directly from your normal display code.  I'd write a middle-layer that generates queries and plays with objects, basically implementing the business layer, then a fairly simple display layer, or something.  But that's just me. 

<edit> Also, it should be secure against SQL-Injection and XSS except where I specifically say it isn't.  The get() and set() functions definitely won't fall victim to SQL-Injection or XSS, and the only places that will I think are the $where parameters for queries, which is pretty obvious. 

Here is the source: http://www.javaop.com/~ron/code/clsDB.tgz
Or, if you just want to look: http://www.javaop.com/~ron/code/clsDB


Any comments or suggestions are welcome.  I'm not actively using this code yet, so suggestions now or soon would be most helpful. 

(a note about where I posted: this sort of fits in web-dev and in tutorials/examples.... I personally like having it in the 'examples', but if anybody thinks it belongs in webdev, you have my permission to move it)

Joe

if (!defined('RON'))
    die('Hacking attempt...');


ROFL.
Quote from: Camel on June 09, 2009, 04:12:23 PMI'd personally do as Joe suggests

Quote from: AntiVirus on October 19, 2010, 02:36:52 PM
You might be right about that, Joe.


rabbit

It's clearly got some roots in SMF :P

iago

Quote from: rabbit on August 28, 2006, 11:59:59 PM
It's clearly got some roots in SMF :P
Just that one line :)

rabbit

2 lines, technically :P

Anyway, it looks good, though I kind of prefer to use my own SQL classes.

Ender

iago, you keep churning out awesome work. I have my own org.iago package in my Java library. And now I may end up using this =P Nice job!

It's probably worth it to share, I tested it out to see if the regex considers a carriage return when seeing if the line ends with one of your set characters. It does consider it, and returns false on the match, so using newlines for sql-injection doesn't work in that area. http://64.9.205.64/~andrew/code/test/

iago

Now that you mention it, I never really looked at how I handle newlines; in fact, I didn't even give an option for a textarea.  Maybe I should! :)

iago

By the way, thanks for the complement, that makes all this work worthwhile :)

I was playing with newlines, and apparently a carriage return (%0a) at the end doesn't break the regex, but a carriage somewhere other than the very end, or a linefeed (%0d) anywhere triggers it.  I also noticed that I can send a null (%00) to terminate the string early, but I don't think it does anything useful.  I don't particularily like that you can send a carriage return at the end of the string, but it's not hurting anything.


And incidentally, I made a couple minor changes and updated the code at the above link:
- Added a third parameter to "set", allowing the programmer to disable html-replacing (dangerous for user data, but ok for programmer data)
- Added a function, getTextArea(), which was sorely lacking before. 

iago

Another small updated: added functions getValuePair() and getIDPair(), which return the "fieldname=value" pairs, which you can send in URLs.