jul icon indicating copy to clipboard operation
jul copied to clipboard

Published 20 hours ago verified publisher icon Xkeeper0

replace mysql with pdo

Open Xkeeper0 opened this issue 9 years ago • 5 comments

Right now there is a mixture of raw mysql_...() commands and commands run through a mysql pseudo-class. these should be replaced with a pdo-based class (and queries redone to use prepared statements).

Xkeeper0 avatar Aug 09 '15 09:08 Xkeeper0

I highly recommend doing this. That way, you won't need to use addslashes, magic_quotes, and the auto IP ban thingy for "UNION SELECT". Don't know if you been up to update with Acmlmboard 2, but it now has completely dropped the magic_quotes dependency as all dynamic queries are now prepared queries.

Also, when you have keys in a string, you should put single quotes around the array and braces around the variable and the brackets. For example, print "User {$user['name']} ate the pineapple."; rather than print "User $user[name] ate the pineapple."; This will prevent the Notice: undefined index: name in /home/whatever/index.php on line 10 errors from showing up.

Good luck.

SquidEmpress avatar Nov 20 '15 03:11 SquidEmpress

I am well aware of these issues -- the majority of the code dates back to 2001.

P.S. I do not appreciate you sending death threats to members, so kindly go away, forever. Thanks.

Xkeeper0 avatar Dec 01 '15 00:12 Xkeeper0

OK, fine. She was a former friend of mine who stabbed me in the back months ago so I personally don't care.

SquidEmpress avatar Dec 01 '15 13:12 SquidEmpress

while I can only recommend prepared queries, the portability argument of PDO is moot: PDO can handle multiple database systems, but that's about it, it doesn't cover the syntax differences in more complex/specific SQL queries

Arisotura avatar Jan 09 '16 00:01 Arisotura

For what I've tested in my fork, it is possible to have an almost compatible PDO class that can replace the MySQL one.

"Almost", because:

  • For what I've seen, in PDO+MySQL there are no scrollable cursors, so instances of mysql_data_seek have to be worked around. It's not really an issue, but it's there. (this means you'd have to cache the actual arrays instead of the result pointer)
  • The correct way to select a database is to do so when connecting. Not an issue at all, but it means that $sql->selectdb can't be used.
  • The PDO equivalent of mysql_result only allows to select the column - not the row. No queries use that functionality anyway, so who cares.
  • Strings escaped by PDO::quote should not be enclosed by quotes since those are added automatically, unlike in mysql_real_escape_string. When using prepared statements it doesn't matter since the function isn't going to be used, but since there are none as-is, it may mean recreating that mysql_ function by manually escaping the affected characters.

Though converting also means replacing the remaining raw mysql_ commands to calls to the mysql class, because mixing PDO and mysql_ commands obviously doesn't do any good.

Kak2X avatar Jan 08 '17 18:01 Kak2X