PHP - Getsqlvaluestring - What is the purpose of this function, generated by Dreamweaver?

Asked

Viewed 39 times

0

What good is GetSQLValueString? And if there is a difference to PHP7, what difference does that function make? What happens if I don’t use it? Can anyone help me understand it better?

if (!function_exists("GetSQLValueString")) 
{
    function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
    {
        if (PHP_VERSION < 6) {
            $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
        }

        $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

        switch ($theType) {
            case "text":
            $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
            break;    
            case "long":
            case "int":
            $theValue = ($theValue != "") ? intval($theValue) : "NULL";
            break;
            case "double":
            $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
            break;
            case "date":
            $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
            break;
            case "defined":
            $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
            break;
        }
        return $theValue;
    }
}

After that, there is a section that uses this function.

if($cod_u > 0){
    $updateSQL = sprintf("UPDATE usuario SET cod_id=%s, nome=%s, sexo=%s   WHERE cod_u=%s",
     GetSQLValueString( utf8_decode($_POST['cod_id']), "int"),
php mysql
  • 1

    read: https://stackoverflow.com/questions/4458180/php-getsqlvaluestring-function

1 answer

1

I don’t know why Dreameaver created this function (I don’t use it), but she does the following:

Receives a value ($theValue) and passes through the function mysql_real_escape_string, that makes some checks and changes in the variable text to make it impossible to attack SQL Injection.

Next check which type of data you are trying to insert into the database transforms the text to the valid format to execute a query in the database.

For example, if the $theType for "text" it takes the value and concatenates single quotes before and after the text, if it is "int" it uses the function intval to pass only the numerical value, etc. If there is nothing in the variable $theValue she turns her into NULL to insert the empty field into the database.

Dreamweaver seems to be using the customer mysqli, which is a very old way of connecting to the database. The most modern and recommended standard is the use of PDO, which is object-oriented and has greater security.

Answering the question E o que acontece se eu não usar?: If you receive the value directly from the browser and do not use a character escape function you are vulnerable to attacks. See the documentation of mysql_real_escape_string.

Edit: Correction: THE mysqli is safe and fast (faster than the PDO in some cases), in fact it is the mysql that is depreciated.

Browser other questions tagged php mysql

You are not signed in. Login or sign up in order to post.