makesafe() and db_fetch_assoc()

If you're a new user of AppGini, feel free to ask general usage questions, or look for answers here.
Post Reply
G Belgrado
Veteran Member
Posts: 61
Joined: 2017-03-12 09:24

makesafe() and db_fetch_assoc()

Post by G Belgrado » 2020-02-28 17:29

I have a query that selects all the fields of other parent table
and inserts them in another child table

Code: Select all

$dati_fat = sql("SELECT * FROM `impianti` WHERE `id`= '{$data['id_imp']}' ", $eo);
 $rowDaFa = db_fetch_assoc($dati_fat);
until here it works.
But, if a field contains an apostrophe in the text (like: D'Amico) obviously I have an error.

So I used "makesafe ()" but it doesn't work

Code: Select all

$dati_fat = sql("SELECT * FROM `impianti` WHERE `id`=  '" . makeSafe($data['id_imp']) . "' ", $eo);
 $dati_fat_ms = makeSafe($dati_fat);
 $rowDaFa = db_fetch_assoc($dati_fat_ms);
I am confused about how to use makesafe, can someone help me, please

G Belgrado
Veteran Member
Posts: 61
Joined: 2017-03-12 09:24

Re: makesafe() and db_fetch_assoc()

Post by G Belgrado » 2020-02-28 19:08

maybe I solved it

this way it works

Code: Select all

$dati_fat = sql("SELECT * FROM `impianti` WHERE `id`= '{$data['id_imp']}' ", $eo);
 $rowDaFa = db_fetch_assoc($dati_fat);
 $rowDaFa_nome = makeSafe($rowDaFa['name']);
 
....  then "INSERT INTO `another_table` .....   '$rowDaFa_nome'   
but I should do makesafe for every field $rowDaFa['field']

User avatar
D Oliveira
AppGini Super Hero
AppGini Super Hero
Posts: 347
Joined: 2018-03-04 09:30
Location: David

Re: makesafe() and db_fetch_assoc()

Post by D Oliveira » 2020-02-28 19:55

G Belgrado wrote:
2020-02-28 19:08
maybe I solved it

this way it works

Code: Select all

$dati_fat = sql("SELECT * FROM `impianti` WHERE `id`= '{$data['id_imp']}' ", $eo);
 $rowDaFa = db_fetch_assoc($dati_fat);
 $rowDaFa_nome = makeSafe($rowDaFa['name']);
 
....  then "INSERT INTO `another_table` .....   '$rowDaFa_nome'   
but I should do makesafe for every field $rowDaFa['field']
As Jan beautifully explained it here : viewtopic.php?t=2826
makeSafe() replaces strings or parts of strings which may be dangerous if executed on a database. It returns "safe" strings which can be used in SQL statements. makeSafe() or other escaping-strategies protect you from so called "SQL Injection".

See here: https://searchsoftwarequality.techtarge ... -injection

SQL injection
Posted by: Margaret Rouse
WhatIs.com
SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. An SQL query is a request for some action to be performed on a database. [...] an attacker can use the input boxes to send their own request to the database, which could allow them to download the entire database or interact with it in other illicit ways.

Hope this helps!
Regards,
Jan

Post Reply