3 Replies Latest reply on Aug 17, 2008 4:59 PM by (Hanno_Schupp)

    Escaping field value in custom transaction

    Level 1
      I have created a custom transaction inserting fields in a table called `billing`. The values are taken mainly from two other tables called `account` and `paypalinfo`. I have attached the code below.
      Please not the values to be inserted notated in wavy brackets like{paypalinfo.txnid}. This means the variable content is replacing what is in between the brackets and the brackets themselves of course at run time. Sine these are often character strings, I have put them into single quotes.

      This worked great until I had an Irish guy acccessing my site with the sirname of O'Hara. That of course confused the statement, as suddenly there was a ' character, which was supposed to be interpreted as string, but was interpreted as SQL field delimiter and thus broke the code.

      Here is my question: Should I escape the value and how would I do it, since this is not a normal code but a placeholder replaced at runtime? Or should I use another SQL field value delimiter, thus replace ' with ` ? I think the latter solution is inferior - just think of what heappens if you get an O`Hara instead of an O'Hara.

      So in essence the question is: How do you handle escaping varabiable content in custom transactions with run time replaced variables in {...} brackets?

      Any feedback welcome.

      Here is the code:
      // Make a custom transaction instance
      $customTransaction2 = new tNG_custom($conn_chilli);
      // Register triggers
      $customTransaction2->registerTrigger("STARTER", "Trigger_Default_Starter", 1, "POST", "KT_Insert1");
      // Set custom transaction SQL
      $customTransaction2->setSQL("INSERT INTO billing (buyer_email, account, affiliate, partner, admin, transid, transdate, buyer_fname, buyer_lname, package, minutesbought, amountpaid, currency, userid, mac, nasid, routermac) values ('{paypalinfo.buyer_email}','{paypalinfo.account}','{account.affiliate}', '{account.partner}', '{account.admin}', '{paypalinfo.txnid}', '".$right_now."', '{paypalinfo.firstname}', '{paypalinfo.lastname}', '{paypalinfo.itemname}', '{package.tavail}', '{paypalinfo.mc_gross}', '{paypalinfo.mc_currency}', '{SESSION.id}', '{paypalinfo.usermac}', '".$router_name."', '{paypalinfo.routermac}')");
        • 1. Re: Escaping field value in custom transaction
          Günter Schenk Level 4
          Hi Hanno,

          please see the thread "Keeping a table update history...": http://www.adobeforums.com/webx/.59b62d17/2

          In there you´ll note a different approach of inserting transaction values into a DB table -- rather than using a Custom Transaction (which utilizes ADDT´s Dynamic Data placeholders) you can practically do the same using a Custom *Trigger*, which makes use of ADDT´s $tNG->getColumnValue("columnname") - syntax.

          The important difference is: $tNG->getColumnValue("columnname") is a PHP variable which (unlike the Dynamic Data placeholders) can be pre-processed before having the Custom Trigger insert the related transaction value into the table -- and in your case the PHP function "mysql_escape_string" should escape the ' character just fine:

          $value_one = mysql_escape_string($tNG->getColumnValue("columnname"));

          Günter Schenk
          Adobe Community Expert, Dreamweaver
          • 2. Re: Escaping field value in custom transaction
            Level 1
            You should never be using anything but:<br /><br />'b string mysql_real_escape_string  ( string $unescaped_string  [, resource $link_identifier  ] )<br /><br />'i http://www.php.net/manual/en/function.mysql-real-escape-string.php<br /><br />The reasons for this is that this are related to SQL injection attacks.  I would hand code this, but for anything more complex than CRUD ( http://en.wikipedia.org/wiki/Create,_read,_update_and_delete ) (which ADDT handles very nicely) I favor hand coding as it is faster, less complex when enforcing business process.  Also, this allows one usage of the database management system's transaction mechanisms which are typically far more robust and reliable on top of being simpler to work with.  <br /><br />Please note that the type of my storage for your database within MySQL will support different features.  To enable the usage of database transactions you will need to use the InnoDB table type rather then the default MyISAM table type.  Various versions of MySQL have other options for transaction safe table but those two are the ones that are consistently available in web environs where bleeding edge software is not normally deployed.<br /><br />http://dev.mysql.com/doc/refman/5.0/en/storage-engines.html<br /><br />Diatribe aside, what you need to do with these templated objects is to duplicate the object referenced {paypalinfo} and apply mysql_real_escape_string to the duplicates elements {paypalinfo_escaped_copy.txnid}.  Then run the copied ADDT code with values from {paypalinfo_escaped_copy}.  How you do you this I leave you to track down as I do not find that level of abstraction to be a good use of my time and other other libraries/frameworks do it much more elegantly using less of my time.<br /><br />But as Gunter already noted, refactoring your problem to work with your tools existing architectures can be simpler.  ADDT has a limited programming architecture (primary design) which is done to simplify the automatic generation of code.  This can make some simple things complex (50-80 mouse clicks) as opposed to  typing one or two lines of code.<br /><br />some thoughts, <smile><br /><br />Sean
            • 3. Re: Escaping field value in custom transaction
              Level 1
              Thanks guys, very useful.
              I will reengineer the code to fit Guenther's approach. I never liked the 'pre-processor' kind of replacement of Dreamweaver anyway. Not really 'clean' in my view.