0

I am trying to modify some code and I wanted to use mysqli instead of mysql if possible. Here is what it looks like today.

$query = sprintf("select * from table where column = '%s';",mysql_escape_string($value));
$result = do_query_mysqli($query, __FILE__, __LINE__);

the function do_query_mysqli is in another file and I don't want to modify that file if possible. That function also includes $link to connect to the DB.

I do not have access to $link in the file I am modifying.

What is the best alternative to the code below if I want to achieve a similar result but I don't have access to $link?

$value = mysqli_real_escape_string($link, $value);

Thanks!

Edit -- None of the answers and comments address my issue which is I am trying to reduce the risk of sql injection without having to change the function that executes the queries. But I will look into the solutions suggested anyway. Thanks.

bkp
  • 26
  • 4
  • if you really must, there is a function in the user notes of the manual page for https://www.php.net/manual/en/mysqli.real-escape-string.php, you could use –  May 29 '19 at 22:41
  • I'm afraid you *will* have to change the function. There's no 100% safe way to do what you want without using the database connection. The current code structure is simply insufficient for the task. – deceze May 30 '19 at 07:35

1 Answers1

2

With mysqli to avoid SQL injection I've found it's better to use bind_param and bind_result.

$select1 = $con->prepare("SELECT jobnumber ,starttime ,endtime, title from JobSheet WHERE starttime BETWEEN ? AND ?;");
$select1->bind_param('ss', $mondayMidnight, $sundayMidnight);
$select1->bind_result($jobnumber, $starttime, $endtime, $title);
$select1->execute();

It's also good practice to ONLY select the columns you're interested in to satisfy the query you're using. SELECT * FROM ... is a minefield and a program error waiting to happen (when someone alters the table).

bind_param doesn't allow for SQL injection as the SQL is already prepared.

Dougie
  • 455
  • 1
  • 7
  • 15