2

I am using a dataHandler library to handle all of my db inserts / updates, etc. The library has the following functions:

function prepareValue($value, $connection){
$preparedValue = $value;
if(is_null($value)){
    $preparedValue = 'NULL';
}
else{
    $preparedValue = '\''.mysql_real_escape_string($value, $connection).'\'';
}
return $preparedValue;
}

function parseParams($params, $type, $connection){
$fields = "";
$values = "";

    if ($type == "UPDATE"){
    $return = "";
    foreach ($params as $key => $value){
    if ($return == ""){
        if (preg_match("/\)$/", $value)){
            $return = $key."=".$value;
        }
        else{
            $return = $key."=".$this->prepareValue($value, $connection);
        }
    }
    else{
        if (preg_match("/\)$/", $value)){
            $return = $return.", ".$key."=".$value;
        }
        else{
            $return = $return.", ".$key."=".$this->prepareValue($value,              
                         $connection);
        }
    }
    }
    return $return;
/* rest of function contains similar but for "INSERT", etc.
   }

These functions are then used to build queries using sprintf, as in:

$query = sprintf("UPDATE table SET " .
    $this->parseParams($params, "UPDATE", $conn) .
" WHERE fieldValue = %s;", $this->prepareValue($thesis_id, $conn));

$params is an associative array: array("db_field_name"=>$value, "db_field_name2"=>$value2, etc.)

I am now running into problems when I want to do an update or insert of a string that ends in ")" because the parseParams function does not put these values in quotes.

My question is this: Why would this library NOT call prepareValue on strings that end in a closed parenthesis? Would calling mysql_real_escape_string() on this value cause any problems? I could easily modify the library, but I am assuming there is a reason the author handled this particular regex this way. I just can't figure out what that reason is! And I'm hesitant to make any modifications until I understand the reasoning behind what is here.

Thanks for your help!

Improve this question
2
  • 3
    I cannot see any reason why you would not call mysql_real_escape_string() on a value ending in ). What is this library? Perhaps the author had only some unusual personal use case in mind. Commented Aug 13, 2011 at 20:38
  • @Michael Thanks for the sanity check. As far as I know it's just a general use library that the author had for database interactions, and wasn't designed for any special use case. Commented Aug 13, 2011 at 22:33

1 Answer 1

Reset to default
1

Please note that inside prepareValue not only mysql_real_escape_string is applied to the value but it is also put inside '. With this in mind, we could suspect that author assumed all strings ending with ) to be mysql function calls, ie:

$params = array(
    'field1' => "John Doe",
    'field2' => "CONCAT('John',' ','Doe')",
    'field3' => "NOW()"
);

Thats the only reasonable answer that comes to mind.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you! That makes a lot of sense, and for my purposes means I can edit away as I am not passing in any function calls.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.