+- انجمن عمومی گسترش فناوری آگو (http://forums.ago.ir)
+-- انجمن: انجمن های عمومی گسترش فناوری آگو (/forumdisplay.php?fid=1)
+--- انجمن: برنامه نویسی (/forumdisplay.php?fid=13)
+--- موضوع: کلاسی برای کار با db برای مقابله با sql injection (/showthread.php?tid=2089)
کلاسی برای کار با db برای مقابله با sql injection - agotd - 02-11-2013 02:44 PM
امروز می خوام براتون یک کلاس رو بگذارم . این کلاس به شما کمک می کنه خیلی راحت اواع کوئری رو انجام بدید و خیالتون راحت باشه که هیچ وقت SQL Injection نمی تونه به برنامه شما نفوذ کنه .
کد php:
<?php
class mysql {
// Database server information
var $host; // (string) Host server of database
var $user; // (string) User
var $password; // (string) Password
var $db_name; // (string) Database that will be selected
var $port; // (int) Server port
var $connection = false; // (link identifier) MySQL connection link identifier
var $result; // (link identifier) MySQL result link identifier
// Class operation setup
// 0 LOG_NONE
// 1 ECHO
// 2 HIDDEN ECHO
// 3 LOG FILE
var $debuglv = 2 ;
var $error_level = 0 ;
var $error_desc = "No errors" ;
var $logfile = "datalog" ;
var $filehdl = 0 ;
var $messsages = array() ;
var $affected_rows = 0 ;
var $num_rows = 0 ;
var $recordcount = 0 ;
var $lastid = 0 ;
var $sqlString;
var $query_no = 0 ;
function mysql($host = "", $user = "", $password = "", $db_name = "", $port = "")
{
$this->host = ( !empty( $host ) ) ? (string)$host : "localhost";
$this->user = ( !empty( $user ) ) ? (string)$user : "root";
$this->password = ( !empty( $password ) ) ? (string)$password : "";
$this->db_name = ( !empty( $db_name ) ) ? (string)$db_name : "";
$this->port = ( !empty( $port ) ) ? (int)$port : 3306;
}
function connect($is_persistent = false)
{
$this->logfile_init() ;
if (!$is_persistent) {
$this->connection = @mysql_connect($this->host.':'.$this->port, $this->user, $this->password);
} else {
$this->connection = @mysql_pconnect($this->host.':'.$this->port, $this->user, $this->password);
}
$this->error_report() ;
if (!$this->connection) {
// Conection failed
$this->add_debug_message ( date("d/m/Y - H:i:s") . " - ERROR " . $this->error_level . ": " . $this->error_desc . "\r\n" ) ;
$this->release_db() ;
} else { $this->select_db(); }
}
function select_db($db_name=false){
if ($db_name !== false) $this->db_name=$db_name;
// Select a database...
if (@mysql_select_db($this->db_name,$this->connection)) {
// Selecting Database OK
$this->add_debug_message ( date("d/m/Y - H:i:s") . " - OPERATION O.K.: Connected to database " . $this->db_name . "\r\n" );
} else {
// Failed to select the database... abort connection process
$this->error_report() ;
$this->add_debug_message ( date("d/m/Y - H:i:s") . " - ERROR " . $this->error_level . ": " . $this->error_desc . "\r\n" ) ;
$this->release_db() ;
}
}
// Releasing database connection
function release_db()
{
// Checking if a conection is open?
if ($this->connection) {
// Trying to close the connection ...
if (mysql_close($this->connection)) {
$this->add_debug_message ( date("d/m/Y - H:i:s") . " - OPERATION O.K.: Database " . $this->db_name . " released" . "\r\n" );
} else {
// Failed to liberate the database...
$this->error_report() ;
$this->add_debug_message ( date("d/m/Y - H:i:s") . " - ERROR " . $this->error_level . ": " . $this->error_desc . "\r\n" );
}
} else {
// No database open
$this->add_debug_message ( date("d/m/Y - H:i:s") . " - OPERATION CANCELLED: No database open" . "\r\n" );
}
// LOG the operation and close logging operations
$this->debug() ;
$this->logfile_close() ;
}
// Error reporting auxiliary method
function error_report()
{
$this->error_level = mysql_errno() ;
$this->error_desc = mysql_error() ;
}
// Log operations initialization
function logfile_init()
{
if ($this->debuglv==3) {
$this->add_debug_message ( date("d/m/Y - H:i:s") . " ===== SESSION STARTED BY " . $GLOBALS["PHP_SELF"] . " =====" . "\r\n" );
$this->logfile = $this->logfile . "-" . date("m") . "-" . date("Y") ;
$this->filehdl = fopen($this->logfile,'a') ;
if (!$this->filehdl) {
echo "<!-- UNABLE TO OPEN SPECIFIED LOG FILE " . $this->logfile . " -->" ;
$this->debuglv-- ;
$this->logfile_init() ;
}
break ;
}
$this->debug() ;
}
// Closing log operations
function logfile_close()
{
if ($this->filehdl) {
// If we opened a file to log operations need to close it
fclose($this->filehdl) ;
}
}
function add_debug_message($message)
{
$this->messsages[]=$message;
}
// Debugging operations
function debug()
{
switch ($this->debuglv) {
case 0: // NO LOG OPERATIONS
break ;
case 1: // SCREEN OUTPUT
foreach ($this->messsages as $m) {
echo 'DEBUG: ' . $m . '' ;
}
break ;
case 2: // SILENT OUTPUT (<!-- -->)
foreach ($this->messsages as $m) {
echo "\n<!-- DEBUG: " . $m . "-->\n" ;
}
break ;
case 3: // FILE OUTPUT
foreach ($this->messsages as $m) {
fwrite($this->filehdl,$this->msg) ;
}
break ;
}
}
// Destructor
function destroy()
{
$this->release_db() ;
}
// performes an sqlQuery
function query($sqlString)
{
$this->sqlString=$sqlString;
$this->query_no++;
if ($this->connection !== false) {
$this->result = mysql_query($sqlString,$this->connection) ;
$this->error_report() ;
// Affectected rows...
if ($this->result) {
// Execution was o.k.
$this->affected_rows = mysql_affected_rows( $this->connection );
if (is_resource($this->result)) {
$this->num_rows = mysql_num_rows( $this->result );
} else $this->num_rows = 0;
$this->lastid = mysql_insert_id( $this->connection );
$this->add_debug_message( date("d/m/Y - H:i:s") . " - OPERATION O.K.: Executed [" . $this->sqlString ."] [affected " . $this->affected_rows . " rows] [rows in result " . $this->num_rows . " ]" . "\r\n" );
return true;
} else {
// Execution Failed
$this->affected_rows = 0 ;
$this->num_rows = 0 ;
$this->add_debug_message( date("d/m/Y - H:i:s") . " - OPERATION FAILED: Executed [" . $this->sqlString . "] got " . $this->error_level . " " . $this->error_desc . "\r\n" );
return false;
}
} else {
// No database ready to query
$this->affected_rows = 0 ;
$this->num_rows = 0 ;
$this->add_debug_message( date("d/m/Y - H:i:s") . " - OPERATION FAILED: No database open OR no SQL command provided" . "\r\n" );
return false;
}
}
function fetch_assoc( $result = false )
{
if ( $result === false ) $result = $this->result;
return mysql_fetch_assoc( $result );
}
function clean_data($data)
{
return mysql_real_escape_string($data,$this->connection);
}
function fetch_data_array ()
{
$data=array();
while( $row = $this->fetch_assoc() )
{ $data[]=$row; }
return $data;
}
// grabs a list of rows from a tabel ... returnes an array of data
function list_table( $table_name, $where = false, $parameters = array () )
{
$range = ( isset($parameters['range']) && !empty($parameters['range']) ) ? $parameters['range'] : " * " ;
$sortColumn = ( isset($parameters['sortColumn']) && !empty($parameters['sortColumn']) ) ? $parameters['sortColumn'] : false ;
$sortType = ( isset($parameters['sortType']) && !empty($parameters['sortType']) ) ? $parameters['sortType'] : "ASC" ;
$limitOffset = ( isset($parameters['limitOffset']) && !empty($parameters['limitOffset']) ) ? $parameters['limitOffset'] : false ;
$rowCount = ( isset($parameters['rowCount']) && !empty($parameters['rowCount']) ) ? $parameters['rowCount'] : false ;
$queryString= "SELECT $range FROM $table_name ";
if ( $where !== false ) $queryString .= " WHERE ".$where;
if ( $sortColumn !== false ) $queryString .= " ORDER BY `$sortColumn` $sortType ";
if ( $rowCount !== false ) {
$queryString .= " LIMIT ";
if ( $limitOffset !== false ) $queryString .= " $limitOffset, ";
$queryString .= " $rowCount ";
}
$this->query($queryString);
if( $this->num_rows < 1 ) { return false; }
else { return $this->fetch_data_array(); }
}
// fetch a row from a table
function fetch_row( $table_name, $where = false , $parameters = array () )
{
$range = ( isset($parameters['range']) && !empty($parameters['range']) ) ? $parameters['range'] : " * " ;
$range = ( isset($parameters['range']) && !empty($parameters['range']) ) ? $parameters['range'] : " * " ;
$queryString= "SELECT $range FROM $table_name ";
if ( $where != false ) $queryString .= " WHERE $where LIMIT 1";
$this->query($queryString);
if( $this->num_rows < 1 ) { return false; }
else { return $this->fetch_assoc(); }
}
function count_records( $table_name, $where =false , $parameters = array() )
{
$queryString= "SELECT COUNT(*) as rNumber FROM $table_name ";
if ( $where != false ) $queryString .= " WHERE $where ";
if ($this->query($queryString) == true ){
$row=$this->fetch_assoc();
return $row["rNumber"];
} else return false;
}
function increment_field( $table_name, $field, $where, $parameters = array() )
{
$queryString= "UPDATE $table_name SET `$field`=`$field`+1 WHERE $where ";
$this->query($queryString);
}
function record_update( $table_name, $data, $where, $parameters = array() )
{
$queryString="UPDATE ".$table_name." SET ";
$fields=array();
foreach ($data as $key=>$value) {
$fields[] = " `$key`='".$this->clean_data( $value )."' ";
}
$queryString .= implode(',',$fields)." WHERE ".$where;
return $this->query($queryString);
}
function record_insert( $table_name, $data, $parameters = array() )
{
$queryString="INSERT INTO ".$table_name." (";
$columns=array();
$values=array();
foreach ($data as $key=>$value)
{
$columns []= '`'.$key.'`';
$values []= "'".$this->clean_data( $value )."'";
}
$queryString .= implode(',',$columns) .") VALUES (". implode(',',$values) .") ";
return $this->query($queryString);
}
function record_delete( $table_name, $where, $parameters = array() )
{
$queryString = "DELETE FROM ". $table_name ." WHERE ". $where;
$this->query($queryString);
}
function table_info($table_name)
{
$this->query(" SELECT * FROM $table_name LIMIT 1");
$fields = mysql_num_fields($this->result);
for ($i=0; $i <= $fields; $i++) {
$fields[$i]['type'] = mysql_field_type($result, $i);
$fields[$i]['name'] = mysql_field_name($result, $i);
$fields[$i]['len'] = mysql_field_len($result, $i);
}
return $fields;
}
function table_max_value( $table, $field)
{
$this->query(" SELECT max($field) as max_value FROM $table ");
$data=$this->fetch_assoc();
return $data["max_value"];
}
}
?>این هم نمونه استفاده از این کلاس
کد php:
<?php
// conection
$mysql= new mysql('localhost' , 'userSQL', 'passwSQL', 'Selected_DB' );
$mysql->connect();
// fetch row
$row=$mysql->fetch_row( 'TableName', " id='12' ");
// fetch array of rows
$rows=$mysql->list_table( 'TableName', " column='3' ", array ('range' => 'id,name') );
// fetch rows from multiple tables
$rows=$mysql->list_table( ' TableName1 t1,TableName1 t2 ', " t1.column1=t2.column2 ", array ('range' => ' t1.column1_1, t2.column1_2 ') );
// fetch whole table
$tableList=$mysql->list_table( 'TableName', false , );
// fetch a part of a table - pagination example
$parameters['limitOffset']=10; # Offet Start
$parameters['rowCount']=10; # No of rows returned
$where=" columnName='3' ";
$tableList=$mysql->list_table( 'TableName', where , $parameters );
$data=array('columnName1' => 'value1',
'columnName2' => 'value2',
'columnName3' => 'value3',
);
// insert data ... it returns true or false
$insertAtempt=$mysql->record_insert('TableName',$data);
// update data
$updateAtempt=$mysql->record_update('TableName',$data," id='3' ");
?>