Oct 312015

When you’re performing database manipulations, it’s important to prepare your textual input so that there aren’t any stray single- (‘) or double-quotes  (“) that will wreck havoc with your MySQL queries.  Zen Cart provides methods (the functions zen_db_input and $db->prepare_input) that will help, but you need to have a plan for what method you’re going to use to insert or update that data to prevent over-preparation.

Zen Cart provides two methods for inserting and updating database information:

  1. class-based, using the $db->Execute function.
  2. function-based, using the zen_db_perform function.

The class-based method allows you full control over the formatting of a MySQL query while the function-based method uses an associative input-array to map each database field to its associated value.  The function-based method’s strength is its ease in creating or updating an entire database table record, while the class-based method is more suitable to a quick update of a couple of fields in a record.

When you use the class-based method, it’s very important to prepare any text input prior to sending that data to the database, i.e. escaping any quotes within the data.  Failure to do this can result in a whitescreen (with associated myDEBUG*.log) intermittently … based on the data input.

When you use the function-based method, that function automatically prepares all input — in fact, it treats all input as strings.  If you’ve also prepared the input, the resultant database field will include unwanted slashes (e.g. o/’Toole instead of o’Toole).  That’s because the function has prepared (via call to $db->prepare_input) data that you’ve already prepared, resulting in the slashes themselves being escaped … a result of over-preparation!

Zen Cart makes it easy to perform your database manipulations, but the onus is on you to first choose the method that you’re going to use and then perform any input-preparations needed based on the method you’ve chosen.

Sorry, the comment form is closed at this time.