0

I have PHP code that takes a XML file that is updated daily and imports it into a MYSQL database. It was working fine until the other data I realized that players who have apostrophe with in their names weren't in the database. Below I listed the coding I am currently using and a XML example. Any help on this matter would be greatly appreciated

xml example of a player that uses an apostrophe in there name

<player>
<playername id="62583">Sa'Belle</playername>
<allianceid id="729"/>
<allianceroleid id="4749"/>
<race id="2"/>
</player>

Coding I am currently using 

set_time_limit(0); // unlimited max execution time
require_once 'kodadb.php';

function Unaccent($string)
{
    if (strpos($string = htmlentities($string, ENT_QUOTES, 'UTF-8'), '&') !== false)
    {
        $string = html_entity_decode(preg_replace('~&([a-z]{1,2})(?:acute|cedil|circ|grave|lig|orn|ring|slash|tilde|uml);~i', '$1', $string), ENT_QUOTES, 'UTF-8');
    }
    return $string;
}
function getGenDate($file, $elemName,$db) {
        $count = 0;
    // Open the file
    $reader = new XMLReader();
    if (!$reader->open($file)) {
        die("Failed to open '" . $file . "'");
    }
    while ($reader->read()) {
        if ($reader->name === $elemName) {
            $count++;
            $doc = new DOMDocument;
            $node = simplexml_import_dom($doc->importNode($reader->expand(), true));
                $gendate = $node->datagenerationdatetime;
                return ($gendate);
          }
     }
     $reader->close();
     return ($gendate);
}

function xmlReader($file, $elemName,$db,$genDate) {
    $count = 0;
    // Open the file
    $reader = new XMLReader();
    if (!$reader->open($file)) {
        die("Failed to open '" . $file . "'");
    }
    while ($reader->read()) {
        if ($reader->name === $elemName) {
            $count++;
            $doc = new DOMDocument;
            $node = simplexml_import_dom($doc->importNode($reader->expand(), true));
            $player['allianceid'] = $node->allianceid['id'];
            $player['allianceroleid'] = $node->allianceroleid['id'];
            $player['race'] = $node->race['id'];
            $player['id'] = $node->playername['id'];
            $player["Player_name"] = $node->playername;
            if ($player['id'] !== null) {
                $sql = "INSERT INTO `players`(`player_id`, `Player_name`, `alliance_id`, `alliance_role_id`, `race_id`) VALUES ('" . $player['id'] . "','" . $player["Player_name"] . "','" . $player['allianceid'] . "','" . $player['allianceroleid'] . "','" . $player['race'] . "');";
                echo $sql."<br>";
                $db->query($sql);
                if ($db->connect_errno) {
                    printf("Connect failed: %s\n", $db->connect_error);
                    exit();
                }
            }
        }
    }
    $reader->close();
    return($count);
}
$rustart = getrusage();

$db = doDatabase();
$sql = "TRUNCATE TABLE `players`";
$db->query($sql);
$file = "./tmp/datafile_players.xml";
$elemName = 'server';
$genDate = getGenDate($file, $elemName,$db);

$elemName = 'player';
$numRows = xmlReader($file, $elemName,$db,$genDate);
//echo "Inserted ".$numRows. " records into 'players'.";

function rutime($ru, $rus, $index) {
    return ($ru["ru_$index.tv_sec"]*1000 + intval($ru["ru_$index.tv_usec"]/1000))
     -  ($rus["ru_$index.tv_sec"]*1000 + intval($rus["ru_$index.tv_usec"]/1000));
}

$ru = getrusage();
echo "This process used " . rutime($ru, $rustart, "utime") .
    " ms for its computations\n";
echo "It spent " . rutime($ru, $rustart, "stime") .
    " ms in system calls\n";
kodabear
  • 340
  • 1
  • 14
  • @JoseManuelAbarcaRodríguez — It's a question about why bad data breaks SQL statements, which is what an SQL injection vulnerability is. The only difference is intent. The solutions are the same. – Quentin Jul 14 '16 at 15:13
  • @Quentin, ok, nevermind. – Jose Manuel Abarca Rodríguez Jul 14 '16 at 15:14
  • 1
    `$player["Player_name"] = addslashes( $node->playername );`. The opposite of `addslashes` is `stripslashes`. – Jose Manuel Abarca Rodríguez Jul 14 '16 at 15:17
  • 1
    oops had no idea that this question is a duplicate of an existing question. Should of tried harder when i was googling the question – kodabear Jul 14 '16 at 15:25
  • @JoseManuelAbarcaRodríguez — No! Read [the documentation for addslashes](http://php.net/addslashes)! **To escape database parameters, DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_literal(), pg_escape_string() for PostgreSQL) should be used for security reasons.** (Also, in general, don't escape strings for databases, use prepared statements, they are much easier to manage). – Quentin Jul 14 '16 at 15:33

0 Answers0