9 Replies - 1636 Views - Last Post: 26 May 2014 - 01:25 AM Rate Topic: -----

#1 iambaltar   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 23-May 14

converting to pdo?

Posted 24 May 2014 - 12:47 PM

This is NOT SCHOOL RELATED - it is a personal project. I am trying to learn pdo...safer than mysqli (and mysql is pretty much deprecated). The problem is that I pretty much put in a lot of time with mysql. Then got books for mysqli. I basically can find tutorials for creating/connecting/populating a database with pdos, but I can't seem to find instruction on allowing users to search my database. I only know how to do this via mysql. Here is my best...I would like to convert this to dpo...but can't really find any sort of tutorial. Can anyone help convert this to pdos? PS - the nl2br() is very important!

I mean can do the connect part as pdo, but without $searchquery and $sqlcommand turned into pdos, the script won't work. I pretty much have to figure those portions out connecting via $variable= new PDO ('msql:host=localhost;dbname=x;charset=utf8', 'u', 'p');

Please help converting the script.

<?php

error_reporting(E_ALL);
ini_set('display_errors', '1');
$search_output = "";
if(isset($_POST['searchquery']) && $_POST['searchquery'] != ""){
$searchquery = preg_replace('#[^a-z 0-9?!]#i', '', $_POST['searchquery']);

$sqlCommand = "SELECT a, b, c, d FROM db_table WHERE a LIKE '%$searchquery%'";

include_once("db/dbconn.php");
$query = mysql_query($sqlCommand) or die(mysql_error());
$count = mysql_num_rows($query);
if($count > 0){


$search_output .= "$count result(s) for <strong>$searchquery</strong><br />";
while($row = mysql_fetch_array($query)){
$a = $row["a"];
$a = mysql_real_escape_string($a);
$b = $row["b"];
$c = $row["c"];
$d = $row["d"];

   $search_output .= "*<br><b>$a</b>- <br/><b>B is: </b>$b<br /> <br /> <b><i>C is: </i></b><i>$c</i><br /><b><i>D is: </i></b>$d<br/>";
   echo nl2br($B)/>;
   //output $means with line breaks
} // close while
} else {
$search_output = "<hr />0 results for <strong>$searchquery</strong><hr />$sqlCommand";
}
mysql_close();
}
?>


Is This A Good Question/Topic? 0
  • +

Replies To: converting to pdo?

#2 macosxnerd101   User is online

  • Games, Graphs, and Auctions
  • member icon




Reputation: 12318
  • View blog
  • Posts: 45,417
  • Joined: 27-December 08

Re: converting to pdo?

Posted 24 May 2014 - 12:56 PM

PDO doesn't have anything to do with the end user. It is a means to query the database. You simply write the queries, bind the parameters, and run the queries. If the user provides input, you bind that data to the parameters. That's it.

Dormilich's PDO tutorial is a really good resource.
Was This Post Helpful? 0
  • +
  • -

#3 iambaltar   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 23-May 14

Re: converting to pdo?

Posted 24 May 2014 - 01:30 PM

@mac - would it be possible to illustrate...the tutorial is pretty in depth but still a bit over my head. I need to have something to dissect... my php page is just a db search...there is no user -u or -p.

I apologize for coming off as pretty dumb lol...
Was This Post Helpful? 0
  • +
  • -

#4 macosxnerd101   User is online

  • Games, Graphs, and Auctions
  • member icon




Reputation: 12318
  • View blog
  • Posts: 45,417
  • Joined: 27-December 08

Re: converting to pdo?

Posted 24 May 2014 - 01:32 PM

I think Dormilich does a good job with examples, and I think with some work you can get through it. I'm not going to convert your page for you.
Was This Post Helpful? 0
  • +
  • -

#5 IceTheNet   User is offline

  • New D.I.C Head

Reputation: -5
  • View blog
  • Posts: 18
  • Joined: 23-May 14

Re: converting to pdo?

Posted 25 May 2014 - 03:15 PM

a little helper this is how you do query's MAX isn't a lot of help. So you create your database and inject the querys into the PDO


$variable = new PDO ('msql:host=localhost;dbname=x;charset=utf8', 'u', 'p');

$sqlCommand -> $variable->prepare("SELECT a, b, c, d FROM db_table WHERE a LIKE '%$searchquery%'");
Was This Post Helpful? -1
  • +
  • -

#6 macosxnerd101   User is online

  • Games, Graphs, and Auctions
  • member icon




Reputation: 12318
  • View blog
  • Posts: 45,417
  • Joined: 27-December 08

Re: converting to pdo?

Posted 25 May 2014 - 03:33 PM

Dormilich's tutorial already provides plenty of examples on how to search. By the way- passing variables directly to the query defeats the whole purpose of PDO and prepared statements, as it opens you up to SQL Injection Attacks. I'm surprised someone who touts expertise as a hacker and network security professional wouldn't be more cognizant of that.
Was This Post Helpful? 1
  • +
  • -

#7 IceTheNet   User is offline

  • New D.I.C Head

Reputation: -5
  • View blog
  • Posts: 18
  • Joined: 23-May 14

Re: converting to pdo?

Posted 25 May 2014 - 05:09 PM

View Postmacosxnerd101, on 25 May 2014 - 03:33 PM, said:

Dormilich's tutorial already provides plenty of examples on how to search. By the way- passing variables directly to the query defeats the whole purpose of PDO and prepared statements, as it opens you up to SQL Injection Attacks. I'm surprised someone who touts expertise as a hacker and network security professional wouldn't be more cognizant of that.


You are correct but I like you am not going to write his code for him. I showed him how to do it. but nice of you to point that out. on the other hand you don't have to be a DIC about it :)
Was This Post Helpful? 0
  • +
  • -

#8 macosxnerd101   User is online

  • Games, Graphs, and Auctions
  • member icon




Reputation: 12318
  • View blog
  • Posts: 45,417
  • Joined: 27-December 08

Re: converting to pdo?

Posted 25 May 2014 - 05:22 PM

My point is that it doesn't make sense to offer advice that is knowingly incorrect. People read the advice and take it to heart. We don't want poor practices to be spread. So please don't show people how to do things blatantly incorrectly when you know better.

Also, let's refrain from the personal attacks. ;)
Was This Post Helpful? 0
  • +
  • -

#9 IceTheNet   User is offline

  • New D.I.C Head

Reputation: -5
  • View blog
  • Posts: 18
  • Joined: 23-May 14

Re: converting to pdo?

Posted 25 May 2014 - 11:29 PM

View PostIceTheNet, on 25 May 2014 - 03:15 PM, said:

a little helper this is how you do query's MAX isn't a lot of help. So you create your database and inject the querys into the PDO


$variable = new PDO ('msql:host=localhost;dbname=x;charset=utf8', 'u', 'p');

$sqlCommand -> $variable->prepare("SELECT a, b, c, d FROM db_table WHERE a LIKE '%$searchquery%'");

Yes not do not use this in production as you said you were trying to learn this is ok for play but by all means don't ever put variables in a search query reason being if post comes in saying that your $searchquery variable were "nonsence INNER JOIN users ON a.password b.username"; well just an example that would spill user database should you have one named that.
Was This Post Helpful? 0
  • +
  • -

#10 Atli   User is offline

  • Enhance Your Calm
  • member icon

Reputation: 4240
  • View blog
  • Posts: 7,216
  • Joined: 08-June 10

Re: converting to pdo?

Posted 26 May 2014 - 01:25 AM

View PostIceTheNet, on 26 May 2014 - 06:29 AM, said:

... reason being if post comes in saying that your $searchquery variable were "nonsence INNER JOIN users ON a.password b.username"; well just an example that would spill user database should you have one named that.

That example is very much flawed:

  • That particular input value would not do anything, other than return an empty set. It doesn't actually alter the structure of the query, since nothing in there ever breaks out of the search string.

  • The join syntax is invalid and would cause a syntax error, give that the above point were fixed.

  • I don't quite get how you figure this would spill the user database. The SELECT is returning four specific fields from the original table. Joining the users table is kind of pointless if none of it's fields are returned by the select. - It might work with a wildcard query, that is unwisely dumped to the page for some reason, but this is not one of those.

  • While you can bypass the search condition with the right injection, your example does not do that. Meaning that you would still have to provide a valid search condition before your join, or everything would be filtered out.

Was This Post Helpful? 1
  • +
  • -

Page 1 of 1