1 Replies - 739 Views - Last Post: 06 June 2012 - 05:50 AM Rate Topic: -----

#1 chino  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 4
  • Joined: 06-June 12

PHP eval() code output (and SQLi)

Posted 06 June 2012 - 05:26 AM

Hi, first timer here...

I am writing a PHP function that cuts out a lot of the SQLi functions by just requiring some of the parameters (below is the code). Basically, it takes the input SQL, the types of parameter (for the prepared SQLi) and the actual inputs. The problem occurs in the eval() sections where it is finding an unexpected comma (but I believe that it should be there) .

Errors:
1) Parse error: syntax error, unexpected ',' in .../new/php/functions.php(61) : eval()'d code on line 1
2) Warning: mysqli_stmt_bind_param() [function.mysqli-stmt-bind-param]: Number of elements in type definition string doesn't match number of bind variables in .../new/php/functions.php on line 61
3) Parse error: syntax error, unexpected ',' in .../new/php/functions.php(65) : eval()'d code on line 1
4) Warning: mysqli_stmt_bind_result() [function.mysqli-stmt-bind-result]: Number of bind variables doesn't match number of fields in prepared statement in .../new/php/functions.php on line 65


Errors 2) and 4) are because of 1) and 3).

function sql($inputSQL, $types, $inputs){
		//connect to db
		$con = connect();
		//prepare the SQL
		$stmt = mysqli_prepare($con, $inputSQL);

		//get the output vars from SQL
		preg_match('/SELECT(.*)\n.*FROM/', $inputSQL, $matches);
		$arr = explode(',', $matches[1]);
		
		//these are the input params
		$params = '';
		foreach($inputs as $p){
			$params .= '\'' . $p . '\', ';
		}
		$params = substr_replace($params ,'',-2);
		
		//these are the output bindings
		$outputs = '';
		foreach($arr as $o){
			$outputs .= '$' . $o . ', ';	
		}
		$outputs = substr_replace($outputs ,'',-2);
		$outputs = str_replace('.', '_', $outputs);
		$outputs = str_replace('$ ', '$', $outputs);

		//the type string
		$types = '\'' . $types . '\'';
		
		//DEBUG
		echo "<br/>types = " . $types;
		echo "<br/>outputs = " . $outputs;
		echo "<br/>params = " . $params;
		//DEBUG
		
		//now do the sql stuff:
		//bind the params
		mysqli_stmt_bind_param($stmt, $types, eval($params));
		//execute
		mysqli_stmt_execute($stmt);
		//bind the results
		mysqli_stmt_bind_result($stmt, eval($outputs));
		//get the array
		$res = mysqli_stmt_fetch($stmt);	
	
		//close db connection
		disconnect();
		//return the array
		return $res;
		
	}



Is This A Good Question/Topic? 0
  • +

Replies To: PHP eval() code output (and SQLi)

#2 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3576
  • View blog
  • Posts: 10,439
  • Joined: 08-June 10

Re: PHP eval() code output (and SQLi)

Posted 06 June 2012 - 05:50 AM

this all doesn’t make sense to me.

it would be good to know an example for $inputSQL so we can try to follow what you want to do. the eval() will definitely not do as expected, because it executes PHP code (which is not a valid argument). for ->bind_param() with an unknown number of parameters you need to use call_user_func_array().

->bind_result() (and the second foreach() loop) is pointless in your code as you do not use it. (and when you would use them, they’re out of scope)

->fetch() returns a boolean, not a result set or an array.


PS. I’d do that in PDO, since I can sequentially bind the parameters. you may look at this tutorial, though I’d do things a bit differently today (keyword: Dependency Injection)
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1