[next-studio|TheKiller]

Well, i have started with a small project, creating a small class which allow the user control a mysql database(on php) with less commands and on a secured system.
I had this idea, because alot of users on this forum are victims of sql injection on php(the people who do not know)
So i've thinked to create a php class, which allow you to manage the mysql normally, but on other type.

For example, you want to connect into the mysql database, we need to do:

PHP код:

$db = mysql_connect($host, $user, $pass);
mysql_select_db($database, $db); 


With this script, you just need to do:

PHP код:

require "mysql_class.php";
$mysql = new mysql($host, $user, $pass, $database); 


For example, to login a user, you need to login a user
The normal script requires:

PHP код:

$db = mysql_connect($host, $user, $pass);
mysql_select_db($database, $db);
$user = mysql_real_escape_string($variableuser);
$pass = mysql_real_escape_string($variablepass);
$login = mysql_query("SELECT * from users WHERE username = '$user' AND pass = '$pass'", $db);
if(mysql_num_rows($login) == 1)
{
    //continue the login
}
else {
    // show the error message
} 


With this class, you just need to do:

PHP код:

require "mysql_class.php";
$mysql = new mysql($host, $user, $pass, $database);
$login = $mysql->query("SELECT * FROM users WHERE username = '$user' AND pass = '$pass'");
if($mysql->NumRows($login) == 1)
{
    // login the user
}
else {
    // error message
} 


You don't need to use the mysql_real_escape_string, since the moment the query will take the $variables and escape them.
This will totally speed up some scripts, with less lines of scripting.
This is more likely a "anti cheat" system, and "hack" at the same time, anti cheat system, because it protects the sql injections, and a hack, because you need to script less, for more.

I would like to know what do you think about this, because i really don't want to be scripting the hole week + weekend to have this class done.

Thanks!

[Jstylezzz]

Nice work, I think this is a safe way to do everything, and coding will go faster..
If you use this system in all panels and things you make, it will be very safe

Nice work

[ca2k]

Yeah, totally. Just do it properly.
Here's something to start with:

PHP код:

    //#^^ Input Cleaning Function ^^#//
    /*
        Cleans raw input, if link id 
        is supplied the data will be
        prepped for DB entry, if Save
        option is set to true HTML will
        be converted rather than removed.
        
        ACCEPTS: [VALUE] = string, [LINK] = db connection id, [SAVE] = bool
        RETURNS: Clean user input
    */
    private function Sanitize($value, $link = null, $save = false)
    {
        //TempDataHolder
        $tempvar = null;
        
        //If sending to a DB clean up for query
        if($link != null)
        {
            if($save)
            {
                //Convert tags to ANCII CODE
                $tempvar = htmlentities($value, ENT_QUOTES);
                $value = $tempvar;
                
                //Strip anything remaining
                $tempvar = strip_tags($value);
                $value = $tempvar;
            }
            else
            {
                //Strip code tags out
                $tempvar = strip_tags($value);
                $value = $tempvar;
                
                //Convert Remaining special chars
                $tempvar = htmlentities($value, ENT_QUOTES);
                $value = $tempvar;
            }
            
            //PHP manual highly recommends this function
            //for any value being entered into a database
            $tempvar = mysql_real_escape_string($value, $link);
            $value = $tempvar;
        }
        else
        {
            //Strip code tags out
            $tempvar = strip_tags($value);
            $value = $tempvar;
            
            //Convert Remaining special chars
            $tempvar = htmlentities($value, ENT_QUOTES);
            $value = $tempvar;
        }        
        RETURN $value;
    } 


There's some other basic stuff that people shouldnt forget, for example .htaccess file. I forgot it once and someone gained access by simply checking the config, thank god I had different password for FTP and the project was in beta stages.

[next-studio|TheKiller]

Quote:

Originally Posted by ca2k Yeah, totally. Just do it properly. Here's something to start with: PHP код:     //#^^ Input Cleaning Function ^^#//     /*         Cleans raw input, if link id          is supplied the data will be         prepped for DB entry, if Save         option is set to true HTML will         be converted rather than removed.                  ACCEPTS: [VALUE] = string, [LINK] = db connection id, [SAVE] = bool         RETURNS: Clean user input     */     private function Sanitize($value, $link = null, $save = false)     {         //TempDataHolder         $tempvar = null;                  //If sending to a DB clean up for query         if($link != null)         {             if($save)             {                 //Convert tags to ANCII CODE                 $tempvar = htmlentities($value, ENT_QUOTES);                 $value = $tempvar;                                  //Strip anything remaining                 $tempvar = strip_tags($value);                 $value = $tempvar;             }             else             {                 //Strip code tags out                 $tempvar = strip_tags($value);                 $value = $tempvar;                                  //Convert Remaining special chars                 $tempvar = htmlentities($value, ENT_QUOTES);                 $value = $tempvar;             }                          //PHP manual highly recommends this function             //for any value being entered into a database             $tempvar = mysql_real_escape_string($value, $link);             $value = $tempvar;         }         else         {             //Strip code tags out             $tempvar = strip_tags($value);             $value = $tempvar;                          //Convert Remaining special chars             $tempvar = htmlentities($value, ENT_QUOTES);             $value = $tempvar;         }                 RETURN $value;     }  There's some other basic stuff that people shouldnt forget, for example .htaccess file. I forgot it once and someone gained access by simply checking the config, thank god I had different password for FTP and the project was in beta stages.

I should use this function and edit it a little bit to be compatible with the system by himself.
Well thanks for the tip ^^,
And i've been doing the escape system on the function, i'll create a private, which offers more security of the code, all code is escaped before being inserted on the mysql database.
Anyways, thanks for the people who's supporting this "system"!