Home/ Questions/Q 6334795
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T18:43:39+00:00

I am using a dataHandler library to handle all of my db inserts /

  • 0

I am using a dataHandler library to handle all of my db inserts / updates, etc.
The library has the following functions:

function prepareValue($value, $connection){
$preparedValue = $value;
if(is_null($value)){
    $preparedValue = 'NULL';
}
else{
    $preparedValue = '\''.mysql_real_escape_string($value, $connection).'\'';
}
return $preparedValue;
}

function parseParams($params, $type, $connection){
$fields = "";
$values = "";

    if ($type == "UPDATE"){
    $return = "";
    foreach ($params as $key => $value){
    if ($return == ""){
        if (preg_match("/\)$/", $value)){
            $return = $key."=".$value;
        }
        else{
            $return = $key."=".$this->prepareValue($value, $connection);
        }
    }
    else{
        if (preg_match("/\)$/", $value)){
            $return = $return.", ".$key."=".$value;
        }
        else{
            $return = $return.", ".$key."=".$this->prepareValue($value,              
                         $connection);
        }
    }
    }
    return $return;
/* rest of function contains similar but for "INSERT", etc.
   }

These functions are then used to build queries using sprintf, as in:

$query = sprintf("UPDATE table SET " .
    $this->parseParams($params, "UPDATE", $conn) .
" WHERE fieldValue = %s;", $this->prepareValue($thesis_id, $conn));

$params is an associative array: array("db_field_name"=>$value, "db_field_name2"=>$value2, etc.)

I am now running into problems when I want to do an update or insert of a string that ends in “)” because the parseParams function does not put these values in quotes.

My question is this:
Why would this library NOT call prepareValue on strings that end in a closed parenthesis? Would calling mysql_real_escape_string() on this value cause any problems? I could easily modify the library, but I am assuming there is a reason the author handled this particular regex this way. I just can’t figure out what that reason is! And I’m hesitant to make any modifications until I understand the reasoning behind what is here.

Thanks for your help!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Please note that inside prepareValue not only mysql_real_escape_string is applied to the value but it is also put inside '. With this in mind, we could suspect that author assumed all strings ending with ) to be mysql function calls, ie:

    $params = array(
    'field1' => "John Doe",
    'field2' => "CONCAT('John',' ','Doe')",
    'field3' => "NOW()"
);

    Thats the only reasonable answer that comes to mind.

    • 0