Uncategorized

Fast & Secure SQLi-Database-Query class (PHP Scripts)

By Acty, January 27, 2014

This class is a PHP class which makes placing SQL queries easier and protects against SQL and XSS Injections. This class uses MySQLi for querying Database.

The first thing that comes to your mind when you see this class may be: “There are many database classes out there so why should I choose your class?

The answer is really easy:

This PHP class is able to do all the stupid and annoying security things for you. By doing this, the class runs as fast as possible. All not needed overhead was removed and all tricks to make the PHP-Script executing as fast as possible were applied.

The result was a tiny and fast but secure Database-Helper class to make your life easier.

So safe time for the really important and interesting things of coding and do no longer waste time on security things!

There are 47 different tags supported by default but if you want to add some by yourself, no problem:
This class also have got a really easy way to add more and more tags by yourself. Just one function call and you added your own tag.
On this way you are not just able to defend against XSS and SQL Attacks but you are also able to safe much time.
If you want to insert a variable with md5 into your database you do not have to use prepared statements (but you can of course), you can just use “UPDATE table SET pw=?md5” and your variable will be automatically hashed.
You can also use this class as an advanced validator with many built in validations like email checking, url checking, telephone number checking, …
Just try it, you will miss something when you have tried this class!

In the following you can see basic functions, just a very small piece of the complete class:

    $db=new Database("servername","username","password","database","charset");
    /* Set charset which should be used for queries and results*/
    $db->setCharset("utf8");
    /* Place 1 single Query */
    // By using the following syntax:
    // SELECT * FROM table WHERE val1=?sql or and val2=?sql
    // We will be able to guarantee that no SQL-Injection will ever work.
    // The PHP-Class will do all the work (escaping, inserting, enclosing with quotes)
    $result=$db->singleQuery(
    "SELECT * FROM table WHERE id=?sql and name=?sql",$id,$name);

    /* if you have to escape some guest book entries to prevent XSS Injections, 
    just use this (this will also prevent SQL-Injections): */
    $result=$db->singleQuery(
    "INSERT INTO table(id,entry) VALUES(NULL,?html)",$_POST['guest_book_entry']);

    // There are even more tags, e.g.
    // ?md5: converts your value to md5
    // ?timestamp: converts your date/time to timestamp
    // ?hex: converts your string to hex
    // ...
    // There are at the moment 47 different tags you can use and you can also add 
    //some by yourself with just one easy function call:

    $db->addValidation("double_md5","my_new_test_function");
    function my_new_test_function($value)
    {
        return md5(md5($value))
    }

    // After doing that your new tag is useable by just doing it this way:
    $result=$db->singleQuery(
    "SELECT * FROM double_hashed WHERE pw_double_hashed=?double_md5",$password);