SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Mysql_real_escape_string errors in classes

    I know mysql_real_escape_string needs a connection to the mysql server first.

    I did connect to the mysql server, but I'm still getting errors for using mysql_real_escape_string. I tried to make my connection a global variable with no luck too.

    Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO)
    Do I really have to make a connection again whenever I want to do validation in a class?

    Basically this is a login class which handles all the validation, processing and redirection.

  2. #2
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't think scope is the problem. In other words it doesn't matter if you connect in the global scope, or a funciton, or a class method, if a connection has been establish m_r_e_s() should work.
    If you pass in the connection resource, that's a different matter, you'll need to have that variable available in the current scope to pass in.

    Do you have a code sample?
    How are you connecting to MySQL? (mysql_connect(), mysqli_connect() or mysqli OO?)

  3. #3
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, here's the calling script's code:

    PHP Code:
    <?php
    require_once("Model/connect.php");
    require_once(
    "Control/class.login.php");

     global 
    $connection;

    try{
      
    $connection connectDB('username''password''db');
    }
    catch(
    PDOException $e){
      echo 
    $e->getMessage();
    }

    $loginObj = new login('username''password');
    $loginObj->display();
    ?>
    And theres whats in the class:

    PHP Code:
    <?php
    class login{

      private 
    $_username;
      private 
    $_password;
      public  
    $role;

      public function 
    __construct($username$password){
        
    $this->_username $username;
        
    $this->_password $password;

        
    $this->validateLogin();
      }

      private function 
    validateLogin(){
        
    $this->_username mysql_real_escape_string(trim($this->_username));
        
    $this->_password mysql_real_escape_string(trim($this->_password));
      }
      
      public function 
    display(){
        echo 
    $this->_username "<br />";
        echo 
    $this->_password "<br />";
      }
    }
    ?>
    First time using PDO too...
    Just in case theres something wrong with the connection code:

    PHP Code:
    function connectDB($username$password$db){
      
    $dns "mysql:host=localhost;dbname=" $db;
      
    $connection = new PDO($dns$username$password, array(PDO::ATTR_PERSISTENT => true));
      
    $connection->setAttribute(PDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION);
      return 
    $connection;


  4. #4
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    my mobile portal
    ghiris.ro

  5. #5
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Ernie1 View Post
    ah...I gotta get used to using PDO.

    but I can't seem to get the global $connection to work in the class. I've to pass the connection into the class like this:

    PHP Code:
    class login{

      private 
    $_username;
      private 
    $_password;
      public  
    $connection;
      public  
    $role;

      public function 
    __construct($username$password$connection){
        
    $this->_username  trim($username);
        
    $this->_password  trim($password);
        
    $this->connection $connection;

        
    $stmt       $this->prepareStatement();
        
    $this->role $this->processLogin($stmt);
      }

      private function 
    prepareStatement(){
        
    $stmt $this->connection->prepare("SELECT role FROM login WHERE username = :username AND password = :password");
        
    $stmt->bindParam(':username'$this->_username);
        
    $stmt->bindParam(':password'$this->_password);
        return 
    $stmt;
      }

      private function 
    processLogin($stmt){
        
    $processLogin $stmt->execute(array('username' => $this->_username'password' => $this->_password));
        
    $processLogin $stmt->fetch(PDO::FETCH_ASSOC);
        return 
    $processLogin['role'];
      }

    So I'll have to pass the $connection into all classes that works with PDO? And does that mean with a prepare statement, I don't have to do a mysql_real_escape_string anymore?

  6. #6
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by resting View Post
    So I'll have to pass the $connection into all classes that works with PDO? And does that mean with a prepare statement, I don't have to do a mysql_real_escape_string anymore?
    Yes, you will need to supply the connection in one way or another. Passing it in via the constructor is a pretty flexible method, although it can be a bit tedious compared to using a global symbol. But it's a good way to go.

    No, you don't need to do escaping anymore, as long as it's a prepared statement, and you use placeholders for each value.

  7. #7
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by crmalibu View Post
    Yes, you will need to supply the connection in one way or another. Passing it in via the constructor is a pretty flexible method, although it can be a bit tedious compared to using a global symbol. But it's a good way to go.

    No, you don't need to do escaping anymore, as long as it's a prepared statement, and you use placeholders for each value.
    great. no more escaping. but what do you mean by placeholders? any examples?

  8. #8
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    :password and :username are axamples
    so, escaping just changed to binding :)
    not much difference

  9. #9
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    but doesnt :username and :password get substituted by whatever the user inputs, much like a sprintf statement?

  10. #10
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yes, it get substituted
    no, not like a sprintf statement

    binded data and query itself goes to database separated

  11. #11
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    so is the binding statement above technically right?

    kinda confused. how can the data and query be separated? i mean, we can't query a database with only half of a query. It'll give errors right?

  12. #12
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When you call prepare(), php sends the sql to the database(the litteral sql with the placeholders), and the database sends back a prepared statement id. The database parses and analyzes the sql, and it then knows exactly how many/which values are missing, and where those values will go.

    When you later execute it(the statement), php just basically sends the values along with the statement id. The database looks up which query corresponds to the statement id, and then uses the values it's given. You can kinda compare this to the difference between using eval() and defining a function. With the function, you first define the behavior the code will have, and later, you execute the function and supply arguments for it to use.

    Btw, you don't need to use the bind*() methods, you can just supply the array to execute() like you did. pdo just provides multiple ways to do it.

  13. #13
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by crmalibu View Post
    When you call prepare(), php sends the sql to the database(the litteral sql with the placeholders), and the database sends back a prepared statement id. The database parses and analyzes the sql, and it then knows exactly how many/which values are missing, and where those values will go.

    When you later execute it(the statement), php just basically sends the values along with the statement id. The database looks up which query corresponds to the statement id, and then uses the values it's given. You can kinda compare this to the difference between using eval() and defining a function. With the function, you first define the behavior the code will have, and later, you execute the function and supply arguments for it to use.

    Btw, you don't need to use the bind*() methods, you can just supply the array to execute() like you did. pdo just provides multiple ways to do it.
    thanks for the clear explanation, I did a bit of read up on PDO. seems like the escaping was done in the prepare statement? or was it the bind statement? Well, it doesn't really matter since they work in pair right?

    and ya, i noticed i didn't need to specify the parameters in the execute statement if I'd binded them. I think using the bind statement gives better clarity.

  14. #14
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No escaping is ever done.*

    Escaping is only needed when the values are embeded into the sql statement itself, to make sure the start and end of a section is correctly interpreted by the sql parser. With a prepared statement, there is no potential for misinterpretation.

    *some databases don't support prepared statements, and so pdo emulates them. It transparently handles the escaping for you in this case.

  15. #15
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by crmalibu View Post
    No escaping is ever done.*

    Escaping is only needed when the values are embeded into the sql statement itself, to make sure the start and end of a section is correctly interpreted by the sql parser. With a prepared statement, there is no potential for misinterpretation.

    *some databases don't support prepared statements, and so pdo emulates them. It transparently handles the escaping for you in this case.
    ah...i see. think i've grasp a pretty good idea of how basic PDO works. thanks pal.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •