Page 1 of 1

INET_ATON and Delegate Class

PostPosted: Thu Sep 17, 2009 1:29 pm
by msergent
I have a table that I am using to store IP Addresses in with the following fields:

IPAddress
+ip_addr_aton (INT unsigned)
+ip_addr (VARCHAR 15)
+subnet (VARCHAR 15)
+service (ENUM)
+description (VARCHAR 30)
+comments (TEXT)

How would I go about automatically converting the ip_addr entered by the user using the MySQL INET_ATON function and inputting it into the ip_addr_aton field upon saving the record?

PostPosted: Thu Sep 17, 2009 1:34 pm
by shannah
How about:
Code: Select all
function beforeSave(&$record){
    $res = mysql_query("select inet_aton('".addslashes($record->val('ip_addr')."')", df_db());
    if ( !$res ) throw new Exception(mysql_error(df_db()));
    list($ip_addr_aton) = mysql_fetch_row($res);
    @mysql_free_result($res);
    $record->setValue('ip_addr_aton', $ip_addr_aton);
}


Still having problems updating tables

PostPosted: Mon Sep 21, 2009 10:43 am
by msergent
I added the function to my IPAddress.php file and now receive the following error:

Warning: Wrong parameter count for addslashes() in /var/www/CiscoDevices/tables/IPAddress/IPAddress.php on line 8

Fatal error: Uncaught exception 'Exception' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in /var/www/CiscoDevices/tables/IPAddress/IPAddress.php:9 Stack trace: #0 /usr/share/xataface-1.1.5r2/Dataface/IO.php(1696): tables_IPAddress->beforeSave(Object(Dataface_Record)) #1 /usr/share/xataface-1.1.5r2/Dataface/IO.php(1577): Dataface_IO->fireEvent('beforeSave', Object(Dataface_Record)) #2 /usr/share/xataface-1.1.5r2/Dataface/IO.php(1208): Dataface_IO->fireBeforeSave(Object(Dataface_Record)) #3 /usr/share/xataface-1.1.5r2/Dataface/ShortRelatedRecordForm.php(596): Dataface_IO->addRelatedRecord(Object(Dataface_RelatedRecord), true) #4 [internal function]: Dataface_ShortRelatedRecordForm->save(Array) #5 /usr/share/xataface-1.1.5r2/lib/HTML/QuickForm.php(1626): call_user_func(Array, Array) #6 /usr/share/xataface-1.1.5r2/actions/new_related_record.php(72): HTML_QuickForm->process(Array, true) #7 /usr/share/xataface-1 in /var/www/CiscoDevices/tables/IPAddress/IPAddress.php on line 9

Any idea on what could be causing the problem now?

PostPosted: Mon Sep 21, 2009 11:10 am
by shannah
The code I gave you contains a typo.
Code: Select all
res = mysql_query("select inet_aton('".addslashes($record->val('ip_addr')."')", df_db());

should be
res = mysql_query("select inet_aton('".addslashes($record->val('ip_addr'))."')", df_db());

Thank you

PostPosted: Mon Sep 21, 2009 12:14 pm
by msergent
Worked like a charm after I added the $ in front of the "res =" variable.

I have been searching for more on what the .addslashes statement does. I am not sure if I understand how it comes into play in defining a SQL statement.

Thank you again for your help.

PostPosted: Mon Sep 21, 2009 12:23 pm
by shannah
addslashes escapes any slashes that might by added to the input. E.g. without add slashes, if I wanted to search for a string that contained a quote you'd get an SQL error or worse.

e.g. Suppose I wanted to search for the phrase "can't" (without the outside quotes).

If you simply placed that into an sql query you'd have:

select * from from foo where bar='can't'

Which could give you an sql error.

If you do the following though,

$sql = "select * from foo where bar='".addslashes("can't")."'"
it would be rendered like:
select * from foo where bar='can\'t'
which would be correct.

It is good practice to use addslashes() or an equivalent to sanitize any data that you place into an SQL query. If you don't, you open your self up, not only to accidental mistakes, like the one above, but malicious intentional problems introduced by users (hackers) of your system.

-Steve

addslashes

PostPosted: Tue Sep 22, 2009 10:39 am
by msergent
Steve,

Thank you for the explanation now I understand the addslashes command. I will be sure to use the addslashes in future SQL query's.