1

My query is:

$sqlCommand="select `ID` from `freecomputermarket`.`members` where `UserName`='$this->_userName';";

i am usign XAMPP as apache server and i am working on port (89)

this class responsible for database connection:

<?php
class MySql
{
    private $_link_Id,$_query_Id,$_serverName,$_userName,$_password,$_dbName,$_rowNum;

    public function __construct()
    {
       $this->_serverName="localhost";
       $this->_userName="root";
       $this->_password="";
       $this->_dbName="freecomputermarket";
    }
    public function connect()
    {
       $this->_link_Id=mysql_connect($this->_serverName,$this->_userName,$this->_password);
       if(!$this->_link_Id)
       {
          exit("The Connect is Failed");
       }
       $db_select=mysql_select_db($this->_dbName,$this->_link_Id);
       if(!$db_select)
       {
          exit("Can't Select DataBase");
       }
    }
    public function query($sqlcommand)
    {
       $sqlcommand= addslashes($sqlcommand);
       //echo $sqlcommand;
       $this->_query_Id=mysql_query($sqlcommand,$this->_link_Id);
       exit($this->_query_Id);//print it to check if it is available.
       if(!$this->_query_Id)
          exit("Query failed");
       $this->_rowNum=mysql_affected_rows();
    }
    public function getRow()
    {
       if($this->_rowNum)
       {
          return mysql_fetch_assoc($this->_query_Id);
       }
    }
    public function getAllRows()
    {
       $arr=array();
       $count=0;
       while($count<$this->_rowNum)
       {
          array_push($arr,$this->GetRow());
          $count++;
       }
       return $arr;
    }
    public function getAffectedRowsNumber()
    {
       return $this->_rowNum;
    }
}   
?>

this code for connecting to the mysql dbms and execute queries. when printing $_link_Id ,it has a value. when printing $_query_Id ,it has nothing ?

Alaa Jabre
  • 1,843
  • 5
  • 26
  • 52
Sami Mohamed
  • 31
  • 3
  • Please properly indent your code, others need to read it. Also use `var_dump` for debugging, not `exit`. – hakre Sep 27 '12 at 12:42
  • thank you hakra to inform me about var_dump – Sami Mohamed Sep 27 '12 at 12:46
  • In case you're looking for some `mysql_*` functions based database class, there is one in [this answer](http://stackoverflow.com/a/11580420/367456) that contains error handling as well as a result object that can be easily extended. And as commented below, `addslashes` does not belong into the `query` method. If you want to make writing SQL queries more comfortable, add another class that is building these strings, comparable to: http://stackoverflow.com/a/12221284/367456 (it's not perfect but might give you some pointers). – hakre Sep 27 '12 at 12:58
  • thank you hakra , addslashes() is the problem – Sami Mohamed Sep 27 '12 at 13:07
  • but what i should to use to prevent sql injection and apostrophes? – Sami Mohamed Sep 27 '12 at 13:08
  • You should not write your own database class, but use PDO, it has prepared statements which works towards your goal to prevent SQL injection. That's also written in the linked answer. – hakre Sep 27 '12 at 13:16
  • it's worth pointing out that the `mysql_xxx()` functions are considered obsolete. The PHP manual recommends switching to either `mysqli_xx()` or the PDO library. I suggest reading here: http://phpbestpractices.org/#mysql – SDC Sep 27 '12 at 13:21

3 Answers3

0

Problem is here

$sqlcommand= addslashes($sqlcommand);

Don't use addslashes.

use like this

//$sqlcommand= addslashes($sqlcommand);
$this->_query_Id=mysql_query($sqlcommand,$this->_link_Id);
Yogesh Suthar
  • 30,424
  • 18
  • 72
  • 100
0
<?php
class MySql
{
    private $_link_Id,$_query_Id,$_serverName,$_userName,$_password,$_dbName,$_rowNum;

    public function __construct()
    {
        $this->_serverName="localhost";
        $this->_userName="root";
        $this->_password="";
        $this->_dbName="freecomputermarket";
    }
    public function connect()
    {
        $this->_link_Id=mysql_connect($this->_serverName,$this->_userName,$this->_password);
        if(!$this->_link_Id)
        {
                                                exit("The Connect is Failed");
        }
        $db_select=mysql_select_db($this->_dbName,$this->_link_Id);
        if(!$db_select)
        {
                                                exit("Can't Select DataBase");
        }
    }
    public function query($sqlcommand)
    {
                                        // $sqlcommand= addslashes($sqlcommand);
                                          //echo $sqlcommand;
        $this->_query_Id=mysql_query($sqlcommand,$this->_link_Id);
                                          exit($this->_query_Id);//print it to check if it is available.
        if(!$this->_query_Id)
                                                exit("Query failed");
        $this->_rowNum=mysql_affected_rows();
    }
    public function getRow()
    {
        if($this->_rowNum)
        {
                                                return mysql_fetch_assoc($this->_query_Id);
        }
    }
    public function getAllRows()
    {
        $arr=array();
        $count=0;
        while($count<$this->_rowNum)
        {
                                                array_push($arr,$this->GetRow());
                                                $count++;
        }
        return $arr;
    }
                    public function getAffectedRowsNumber()
                    {
                        return $this->_rowNum;
                    }
}   
?>

addslashes() function is the problem

Sami Mohamed
  • 31
  • 3
0

The problem is in the public function query($sqlcommand) you did not start connection in the scope. you should start connect() in function query($sqlcommand)

IT Advanture
  • 49
  • 1
  • 5