Home/ Questions/Q 7826431
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T09:24:45+00:00

The following code is a part of using google api access. After connectDb(), there

  • 0

The following code is a part of using google api access. After connectDb(), there is a line

$q = sprintf("select * from users where google_user_id='%s' limit 1", r($me->id));

...// and more afterwards

$q = sprintf("insert into users (google_user_id, google_email, google_name, google_picture, google_access_token, created, modified) values ('%s','%s','%s','%s','%s',now(),now());",
    r($me->id),
    r($me->email),
    r($me->name),
    r($me->picture),
    r($me->access_token));

And I am not sure what r($me->id) is doing. What is “r” for?

More detailed code is here:

 // get profile   
$params = array(
    'client_id' => CLIENT_ID,
    'client_secret' => CLIENT_SECRET,
    'code' => $_GET['code'],
    'redirect_uri' => SITE_URL.'redirect.php',
    'grant_type' => 'authorization_code'
);
$url = 'https://accounts.google.com/o/oauth2/token';

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

$rs = curl_exec($curl);
curl_close($curl);

$json = json_decode($rs);

$url = 'https://www.googleapis.com/oauth2/v1/userinfo?access_token='.$json->access_token;
$me = json_decode(file_get_contents($url));

// enter into DB

connectDb();

$q = sprintf("select * from users where google_user_id='%s' limit 1", r($me->id));
$rs = mysql_query($q);
$user = mysql_fetch_assoc($rs);

if (empty($user)) {
    $q = sprintf("insert into users (google_user_id, google_email, google_name, google_picture, google_access_token, created, modified) values ('%s','%s','%s','%s','%s',now(),now());",
        r($me->id),
        r($me->email),
        r($me->name),
        r($me->picture),
        r($me->access_token));
    $rs = mysql_query($q);
    $q = sprintf("select * from users where id=%d", mysql_insert_id());
    $rs = mysql_query($q);
    $user = mysql_fetch_assoc($rs);
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Whilst one can’t be sure as it’s not present in the code, it’s being used to SQL-escape values injected into a query… so my guess is that it has been defined as a shortcut alias for one of the string escaping functions. eg

    function r($s) {
    return mysql_real_escape_string($s);
}

    As typing out the name mysql_real_escape_string every time gets a bit boring.

    Escaping prevents SQL-injection attacks. Parameterised queries are generally considered a more sustainable way to tackle it, but in PHP that means changing to the mysqli or PDO interfaces.

    • 0