stackoom
  简体   繁体   中英

Converting mysql_* to mysqli_* issue

 原文  2013-09-24 16:58:11       php/ mysqli

Question

I am using MySQLConverterTool to convert my web application,

first issue i faced is code getting to big i dont even understand what that means? It was very small code before and now i see this is too big. 

//old code
$ask_id = mysql_real_escape_string($_POST['ask_id']);

//after convert
$ask_id = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $_POST['ask_id']) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));

Its working fine but i want to know if its correct way of mysqli_* or is there some issue or bug i need to fix in line?

I also want to know how i can make this part secure 

if (isset($_POST['asking-money'])) {
    $dailyBonus = 10000;
    $update = mysqli_query($GLOBALS["___mysqli_ston"], "UPDATE users SET ask_time='$newtime', bonus='dailyBonus'  WHERE id='$userid'");
// some more calculation
}

3 answers

solution1
 2 ACCPTED  2013-09-24 17:02:05

The first bit of code looks like it (grossly) added a giant ternary statement to check that the variables you were using were at least set, but other than that you should just be able to use: 

mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $_POST['ask_id'])

As for security with the SQL query, try using Prepared Statements instead of directly querying with variables

mysqli_prepare

solution2
 2  2013-09-24 17:03:48

for the mysqli_* part, most of the things that used to be done with mysql_* remained almost the same with a new prefix, so, most likely there is no problem and for the how to make it secure, just evaluate and prepare all the parameters being passed from the user before using them in the query, in other words, NEVER under any case, use the user input directly in a query. other than that the code seems very fine to me.

solution3
 0  2013-09-24 17:06:37

The first code is a ternary statement (short way for if/else). Way too much, my opinion.

I recommend PDO and it's prepared statements , if you're able to use it. It's very secure and easy to handle.

By the way: try to avoid the MySQLConverterTool . It's hard to get into this code after months. K eep i t s mart and s imple! :-)

Good luck!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysqli_* or mysql_* performance? mysql_ to mysqli_ Conversion Problems PHP Migrating from mysql_* to mysqli_ How to upgrade from mysql_* to mysqli_*? Using mysqli_ functions with mysql_ connection? Can I blindly replace all mysql_ functions with mysqli_? Find/replace mysql_ to mysqli_ makes code nonfunctional Convert an old mysql_ code into mysqli_ queries PHP/mysql: Is changing (SELECT, {resource}) to ({resource}, SELECT) a viable temporary patch for mysql_* to mysqli_*? PHP mysql_* converting to mysqli fatal error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM