smcfunc[db_quote] for inserts?

Tekkla · April 09, 2014, 04:29:37 PM

Does something like that exist?

emanuele · April 09, 2014, 04:43:42 PM

db_insert?

Tekkla · April 09, 2014, 05:13:55 PM

Returns NULL to me. Should db_insert return the full sql string is uses for insert?

Herman's Mixen · April 09, 2014, 05:22:15 PM

http://dev.simplemachines.org/smcfunctions.php

emanuele · April 09, 2014, 05:28:54 PM

Use db_quote is discouraged (unless you have a good reason to, and even then it may be worth redo the code to use a plain db_query).
db_insert is completely different and if you want t support the different dbms SMF supports (MySQL, PostgreSQL and SQLite) it is the one to use.
I'm not sure why you want to have the string (since db_insert takes care of everything (really) just passing a couple of arrays), so... I can't give you a meaningful answer, sorry.

Herman the db functions are better documented at http://wiki.simplemachines.org/smf/$smcFunc

Tekkla · April 09, 2014, 05:36:22 PM

Thanks for your patience, but I did not ask about what's good or bad or where I can find a list of db functions. I asked how to get the sql string created by db_insert (without grabbing it manually from the place it is created)? I guess, there is no "Does not execute the query, Formats as if it where going to be and returns the string.". Correct?

margarett · April 09, 2014, 05:58:46 PM

Well, at the end of the day, for MySQL, the "final" insert is really in Sources/Subs-Db-mysql.php

Code Select


	// Do the insert.
	$smcFunc['db_query']('', '
		' . $queryTitle . ' INTO ' . $table . '(`' . implode('`, `', $indexed_columns) . '`)
		VALUES
			' . implode(',
			', $insertRows),
		array(
			'security_override' => true,
			'db_error_skip' => $table === $db_prefix . 'log_errors',
		),
		$connection
	);

You can't get a complete string, but you can edit that funcion and maybe build a string with the passed variables...

Or, if you add $db_show_debug=true; in Settings.php it shows you the query (not so sure for an insert, since the page has to reload...)

Tekkla · April 09, 2014, 06:22:59 PM

Yeah. Found this too. Did some search for a maybe not documented function before, but without success. Now I know that I have to do it manually. Thank you.

emanuele · April 11, 2014, 11:06:09 AM

I know what you asked and what you didn't, and I know what I wanted to answer.

A query is a query, and if you know how to use db_quote, you already know how to use it for whatever you want. If you don't (in my book) it may mean you don't know very well db_quote and so it is potentially dangerous to explain you how to SQLinject your own site. (Even SMF has a bug of that level for bad usage of db_quote (or lack of usage, I don't remember the details) and addslashes, so it's not that I'm considering you a noob, it's that it can be very tricky.

)

Tekkla · April 12, 2014, 12:53:37 PM

Can you show me how to use db_qoute on db_insert WITHOUT altering the code of SMF, please?

margarett · April 13, 2014, 12:10:46 PM

You can use db_quote with a regular, complete instruction with INSERTO INTO or whatever. The only problem is that you might loose cross-database compatibility because you'll use probably MySQL syntax. But you can perfectly use INSERT INTO instead of the regular SELECT.

News:

smcfunc[db_quote] for inserts?