On first inspection of the differences in application of the mysql*() and mysqli*() families of functions, it appears to me that
$seta = mysql_query("SELECT * FROM table WHERE field = $Filter", $database);
Can be rapidly replaced with:
$seta = mysqli_query($database, "SELECT * FROM table WHERE field = $Filter");
Similarly, it also appears that
IF ($A = mysql_fetch_array($seta)) {
do {
//code here
} while ($A = mysql_fetch_array($seta));
}
Could be replaced with:
IF ($A = mysqli_fetch_array($seta)) {
do {
//code here
} while ($A = mysqli_fetch_array($seta));
}
Will this work the way I am expecting it to? As it worked before mysqli*()?
PLEASE NOTE : I am not asking if I SHOULD do this, only if I CAN do this. I know full well that slapping a band-aid on a broken leg is useless... That said, I don't have that many hours of coding/testing time before the Demo in March this is being prepped for.
Yes, I understand the this is vulnerable code. I won't go to production without safeguards. I also realize that I am not using all the power of the mysqli*() family of functions this way.
My goal is to refactor everything properly when there isn't such a heavy time crunch (Yes, I know, famous last programmer words). I just need the patched code to run for a Demo then I can retire it.
I have high hopes that with a working prototype -- both in situ and on a server I'm spinning up just to demonstrate the need for software updates -- I'll be able to leave the PHP v4.x blues behind.
Project:
PHP/MySQL better user searching
Also checked:
How to upgrade from mysql* to mysqli*?
PHP Migrating from mysql* to mysqli
Above titles were trimed of underscores to prevent formatting
The quick and dirty method, with emphasis on dirty , is to do it this way by converting mysql_query
to mysqli_query
and so on. The problem is mysql_query
is really clunky to use so preserving that coding style is not going to help clean anything up.
Although I'd strongly recommend switching to PDO, it's a more flexible and capable database layer, if you want mysqli
then what you want to do is employ parameterized queries and bind_param
to add user data to your query. This solves the vast majority of SQL injection bugs out of the gate. I'd also suggest using the object-oriented interface so your updated code is obvious. The difference of a single i
can be easy to overlook, plus it's typically less verbose.
In other words, your replaced code looks like:
$stmt = $database->prepare("SELECT * FROM table WHERE field=?");
$stmt->bind_param('s', $filter);
$res = $stmt->execute();
If you're disciplined about doing this you should catch all your SQL mistakes.
PDO is nicer because of named parameters:
$stmt = $database->prepare("SELECT * FROM table WHERE field=:filter");
$res = $stmt->execute(array('filter' => $filter));
That usually means less code in the long-run.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.