whats the diffrence between them, i use db_query on my site, but dont know what the difference is,
does it secure it when inserting into the db?
thank you, Leipe Po
db_query has the ability to log errors in SMF error log.
db_query also has some precautions to prevent hacking. You can see these in the function definition of db_query, where there are lines of die("hacking attempt...");
// We don't use UNION in SMF, at least so far. But it's useful for injections.
if (strpos($clean, 'union') !== false && preg_match('~(^|[^a-z])union($|[^[a-z])~s', $clean) != 0)
$fail = true;
// Comments? We don't use comments in our queries, we leave 'em outside!
elseif (strpos($clean, '/*') > 2 || strpos($clean, '--') !== false || strpos($clean, ';') !== false)
$fail = true;
// Trying to change passwords, slow us down, or something?
elseif (strpos($clean, 'set password') !== false && preg_match('~(^|[^a-z])set password($|[^[a-z])~s', $clean) != 0)
$fail = true;
elseif (strpos($clean, 'benchmark') !== false && preg_match('~(^|[^a-z])benchmark($|[^[a-z])~s', $clean) != 0)
$fail = true;
// Sub selects? We don't use those either.
elseif (preg_match('~\([^)]*?select~s', $clean) != 0)
$fail = true;
if (!empty($fail))
{
log_error('Hacking attempt...' . "\n" . $db_string, $file, $line);
fatal_error('Hacking attempt...', false);
}
I suggest you to go through the function definition. It is not a default PHP function, it is defined for SMF in Subs.php
ok, thats about the only file i havent searched in for that function,
thank you harzem!!!