INET_ATON and Delegate Class

A place for users and developers of the Xataface to discuss and receive support.

INET_ATON and Delegate Class

Postby msergent » Thu Sep 17, 2009 1:29 pm

I have a table that I am using to store IP Addresses in with the following fields:

IPAddress
+ip_addr_aton (INT unsigned)
+ip_addr (VARCHAR 15)
+subnet (VARCHAR 15)
+service (ENUM)
+description (VARCHAR 30)
+comments (TEXT)

How would I go about automatically converting the ip_addr entered by the user using the MySQL INET_ATON function and inputting it into the ip_addr_aton field upon saving the record?
_MarkS.
msergent
 
Posts: 13
Joined: Mon Feb 16, 2009 10:09 am
Location: Virginia

Postby shannah » Thu Sep 17, 2009 1:34 pm

How about:
Code: Select all
function beforeSave(&$record){
    $res = mysql_query("select inet_aton('".addslashes($record->val('ip_addr')."')", df_db());
    if ( !$res ) throw new Exception(mysql_error(df_db()));
    list($ip_addr_aton) = mysql_fetch_row($res);
    @mysql_free_result($res);
    $record->setValue('ip_addr_aton', $ip_addr_aton);
}

shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Still having problems updating tables

Postby msergent » Mon Sep 21, 2009 10:43 am

I added the function to my IPAddress.php file and now receive the following error:

Warning: Wrong parameter count for addslashes() in /var/www/CiscoDevices/tables/IPAddress/IPAddress.php on line 8

Fatal error: Uncaught exception 'Exception' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in /var/www/CiscoDevices/tables/IPAddress/IPAddress.php:9 Stack trace: #0 /usr/share/xataface-1.1.5r2/Dataface/IO.php(1696): tables_IPAddress->beforeSave(Object(Dataface_Record)) #1 /usr/share/xataface-1.1.5r2/Dataface/IO.php(1577): Dataface_IO->fireEvent('beforeSave', Object(Dataface_Record)) #2 /usr/share/xataface-1.1.5r2/Dataface/IO.php(1208): Dataface_IO->fireBeforeSave(Object(Dataface_Record)) #3 /usr/share/xataface-1.1.5r2/Dataface/ShortRelatedRecordForm.php(596): Dataface_IO->addRelatedRecord(Object(Dataface_RelatedRecord), true) #4 [internal function]: Dataface_ShortRelatedRecordForm->save(Array) #5 /usr/share/xataface-1.1.5r2/lib/HTML/QuickForm.php(1626): call_user_func(Array, Array) #6 /usr/share/xataface-1.1.5r2/actions/new_related_record.php(72): HTML_QuickForm->process(Array, true) #7 /usr/share/xataface-1 in /var/www/CiscoDevices/tables/IPAddress/IPAddress.php on line 9

Any idea on what could be causing the problem now?
_MarkS.
msergent
 
Posts: 13
Joined: Mon Feb 16, 2009 10:09 am
Location: Virginia

Postby shannah » Mon Sep 21, 2009 11:10 am

The code I gave you contains a typo.
Code: Select all
res = mysql_query("select inet_aton('".addslashes($record->val('ip_addr')."')", df_db());

should be
res = mysql_query("select inet_aton('".addslashes($record->val('ip_addr'))."')", df_db());
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

Thank you

Postby msergent » Mon Sep 21, 2009 12:14 pm

Worked like a charm after I added the $ in front of the "res =" variable.

I have been searching for more on what the .addslashes statement does. I am not sure if I understand how it comes into play in defining a SQL statement.

Thank you again for your help.
_MarkS.
msergent
 
Posts: 13
Joined: Mon Feb 16, 2009 10:09 am
Location: Virginia

Postby shannah » Mon Sep 21, 2009 12:23 pm

addslashes escapes any slashes that might by added to the input. E.g. without add slashes, if I wanted to search for a string that contained a quote you'd get an SQL error or worse.

e.g. Suppose I wanted to search for the phrase "can't" (without the outside quotes).

If you simply placed that into an sql query you'd have:

select * from from foo where bar='can't'

Which could give you an sql error.

If you do the following though,

$sql = "select * from foo where bar='".addslashes("can't")."'"
it would be rendered like:
select * from foo where bar='can\'t'
which would be correct.

It is good practice to use addslashes() or an equivalent to sanitize any data that you place into an SQL query. If you don't, you open your self up, not only to accidental mistakes, like the one above, but malicious intentional problems introduced by users (hackers) of your system.

-Steve
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm

addslashes

Postby msergent » Tue Sep 22, 2009 10:39 am

Steve,

Thank you for the explanation now I understand the addslashes command. I will be sure to use the addslashes in future SQL query's.
_MarkS.
msergent
 
Posts: 13
Joined: Mon Feb 16, 2009 10:09 am
Location: Virginia


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 32 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved