Geek Answers Handbook

OSCommerce tep_db_input vs tep_db_prepare_input

I am working on a project that uses OSCommerce with MySQL, and I'm confused when I have to use tep_db_input () or tep_db_prepare_input (). I would suggest that I should use tep_db_input () around any lines that are inserted / updated, but then when should another function be used?

For example, if I were to select some data from a database and use the result to then insert a row into another table, do I need to prepare the input at some point? Or just use tep_db_input again?

$width = '3"'; // 3 inches $new_height = '3\' 5"'; // 3 feet 5 inches $result = tep_db_query( "SELECT height FROM measurements WHERE width = '".tep_db_input($width)."'" ); while ($row = tep_db_fetch_array($result)) { tep_db_query( "INSERT INTO measurement_history ( field, old_value, new_value ) VALUES ( 'height', '".tep_db_input($row['height'])."', '".tep_db_input($new_height)."' )" ); }

Is it correct?

Edit :: If someone is not familiar with these functions, here are their definitions:

 function tep_sanitize_string($string) { $patterns = array ('/ +/','/[<>]/'); $replace = array (' ', '_'); return preg_replace($patterns, $replace, trim($string)); } function tep_db_input($string, $link = 'db_link') { global $$link; if (function_exists('mysql_real_escape_string')) { return mysql_real_escape_string($string, $$link); } elseif (function_exists('mysql_escape_string')) { return mysql_escape_string($string); } return addslashes($string); } function tep_db_prepare_input($string) { if (is_string($string)) { return trim(tep_sanitize_string(stripslashes($string))); } elseif (is_array($string)) { reset($string); while (list($key, $value) = each($string)) { $string[$key] = tep_db_prepare_input($value); } return $string; } else { return $string; } }
+7
source share
2 answers

tep_db_input uses mysql_real_escape_string or mysql_escape_string and that a method of preparing database input is recommended. (And I assume that this function will use mysqli_real_escape_string () or similar in a later version, since mysql_real_escape_string will be deprecated starting from PHP 5.5.0.)

Where tep_db_input with mysql_real_escape_string just escapes:

 mysql_real_escape_string() calls MySQL library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

tep_db_prepare_input performs various actions, such as trimming spaces and replacing brackets and fuzzy (!) calls to stripslashes.

So my advice is: always use tep_db_input. And if you use tep_db_prepare_input to get rid of spaces, etc., also use tep_db_input.

+6
source

This is a little strange, but you use both. Performing this method will prevent attacks by intruders, as well as unforeseen problems with unusual inputs.

Use the tep_db_prepare input for any input from an HTML form. This fixes problems with HTML, magic quotes and script injections. Do not use this in text retrieved from a database.

Then you use tep_db_input before writing it to the database. This will avoid MySQL characters to prevent SQL injection attacks and other similar problems.

Here is an example of code that shows this:

 $clean = tep_db_prepare_input($_POST['name']); $query_text = tep_db_query("select * from " . TABLE_NAME . " where name='" . tep_db_input($clean) . "'");
+1
source

More articles:


All Articles