[php5] clsDB

[iago]

At work we have a somewhat handy database class.  It was written as commercial code, so I wouldn't feel right using it in free apps.  So I wrote my own (improved, I'd say :)) version of it. 

Basically, it keeps an associative array representing the database, allowing you to load, save, and create an entry extremely easily. 

I wrote the database class, a settings file, and a demo file.  The demo file shows how to load, update, and insert entries, as well as how to query a list and count entries in a table and a few other things. 

This probably shouldn't be used directly from your normal display code.  I'd write a middle-layer that generates queries and plays with objects, basically implementing the business layer, then a fairly simple display layer, or something.  But that's just me. 

<edit> Also, it should be secure against SQL-Injection and XSS except where I specifically say it isn't.  The get() and set() functions definitely won't fall victim to SQL-Injection or XSS, and the only places that will I think are the $where parameters for queries, which is pretty obvious. 

Here is the source: http://www.javaop.com/~ron/code/clsDB.tgz
Or, if you just want to look: http://www.javaop.com/~ron/code/clsDB


Any comments or suggestions are welcome.  I'm not actively using this code yet, so suggestions now or soon would be most helpful. 

(a note about where I posted: this sort of fits in web-dev and in tutorials/examples.... I personally like having it in the 'examples', but if anybody thinks it belongs in webdev, you have my permission to move it)

[Joe]

Code Select Expand

if (!defined('RON'))
    die('Hacking attempt...');

ROFL.

[rabbit]

It's clearly got some roots in SMF :P

[iago]

It's clearly got some roots in SMF :P

Just that one line :)

[rabbit]

2 lines, technically :P

Anyway, it looks good, though I kind of prefer to use my own SQL classes.

[Ender]

iago, you keep churning out awesome work. I have my own org.iago package in my Java library. And now I may end up using this =P Nice job!

It's probably worth it to share, I tested it out to see if the regex considers a carriage return when seeing if the line ends with one of your set characters. It does consider it, and returns false on the match, so using newlines for sql-injection doesn't work in that area. http://64.9.205.64/~andrew/code/test/

[iago]

Now that you mention it, I never really looked at how I handle newlines; in fact, I didn't even give an option for a textarea.  Maybe I should! :)

[iago]

By the way, thanks for the complement, that makes all this work worthwhile :)

I was playing with newlines, and apparently a carriage return (%0a) at the end doesn't break the regex, but a carriage somewhere other than the very end, or a linefeed (%0d) anywhere triggers it.  I also noticed that I can send a null (%00) to terminate the string early, but I don't think it does anything useful.  I don't particularily like that you can send a carriage return at the end of the string, but it's not hurting anything.


And incidentally, I made a couple minor changes and updated the code at the above link:
- Added a third parameter to "set", allowing the programmer to disable html-replacing (dangerous for user data, but ok for programmer data)
- Added a function, getTextArea(), which was sorely lacking before. 

[iago]

Another small updated: added functions getValuePair() and getIDPair(), which return the "fieldname=value" pairs, which you can send in URLs.