0

I'm new and hoping to learn programming. I chose PHP and working my way with 4th edition Oreilly. I'm trying to understand the first major program. I'm sure it is very simple but I don't quite understand one part. In the following parts of the program which i simplified a bit to the relevant bits:

$conn = new mysqli(parameters to connect to database)

$stuff = get_post($conn, 'stuff')

$query = "INSERT INTO table VALUES" . "('$stuff')"

$result = $conn->query(query)

Function get_post($conn, $var)

Return $conn->real_escape_string($_POST[$var])

I understand it's a way to prevent hacks with malicious user input. The part I don't understand is why or how the $_POST which contains the form user input is treated as a property of the database before it goes in the database? (With the last line) I thought stuff would be stripped before going into a database. I'm sure I'm missing something very elementary here so I hope someone can explain how this works.

Basically I struggle to see how $_POST becomes a property of $conn. Can anyone walk me through it?

Thanks for any assistance.

AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
Chris
  • 3
  • 1
  • 2
    There are better methods, [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – Jay Blanchard Nov 08 '16 at 20:40
  • I think you have some misconceptions about what's happening, Chris. Where are you seeing `$_POST` as a property of `$conn`? – CollinD Nov 08 '16 at 20:43
  • Hi there. Yes the better methods are covered in the next chapter but I am a fledging novice so trying to make sure I understand what's going on with this simple if unsecure way before advancing on. My confusion is from Return $conn->real_escape_string($_POST[$var]) which I guess if I simplify it to just Return $conn->($_POST[$var]) I'm likely confused by what the arrow signifies – Chris Nov 09 '16 at 13:53

1 Answers1

0

Lets go step by step:

$conn = new mysqli(parameters to connect to database)

With this line, you create an object, that will interact with the MySQL database.

$stuff = get_post($conn, 'stuff')

This line, retrieve the information from the POST variable called "stuff" and assign it to the $stuff variable.

$query = "INSERT INTO table VALUES" . "('$stuff')"

That's the query you want to force into the database (insert the value of the variable $stuff into the table "table"

$result = $conn->query(query)

This one is tricky, it does 2 things, first, use the query function of the $conn object ($conn->query) and give the variable $query to that function, once the query was executed into the database, the result of that request, will be saved into $result

Finally, the function:

Function get_post($conn, $var){ Return $conn->real_escape_string($_POST[$var]); }

The function you are using to real_escape_string, is a function already programmed in the mysqli object, that you pass with the $conn variable, that clean the string of malicious characters that might break the query, when you concatenate $query = "INSERT INTO table VALUES" . "('$stuff')"

Ricardo Ortega Magaña
  • 2,403
  • 16
  • 23
  • Ah I think I understand now. It's just that last step that was tricking my brain. – Chris Nov 09 '16 at 16:51
  • It was that I didn't realise my escape string is a part of mysqli (and therefore the conn object) specifically and not php as a whole. I hope I got that right but it makes sense if that's the case – Chris Nov 09 '16 at 18:31