Community Add-Ons

Maintainers: shopperPS
Add file to this package
Top » Features

MySQLi Prepared Statement Automator
for osCommerce Online Merchant v2.3

Download
by shopperPS / 30 May 2014

!! Achtung !!

- This Modification might break your store in many unpredictable and possibly agonizing ways. It requires thoroughly testing before you implement it in a live store.

- I have tested it without any errors in both Catalog & Admin side of osCommerce 2.3.3.4. But I haven’t tested every single possible query in every possible language so I leave the testing to you.
Feeling lucky? Well, then go ahead and start using it. Report any problems to the Support thread!


What is $this?
This is a modification to the database functions with the purpose of ”automatically” converting all the queries to MySQLi Prepared Statements using regex pattern and type definition detection.

It will be successful in most (or all) cases, but if the regex fails or the query doesn’t have any parameters, then the database will be queried with a direct (Old School) query.

Why do I need prepared statements?
Prepared Statements are very important for web application security, as they protect from SQL injection. Using Prepared Statements you do not have to escape strings before inserting them in Database.

There is of course a lot more you can do with prepared statements, but this modification will be more like a stopgap until osCommerce natively uses Prepared Statements. (Who knows? Maybe one day it will?)

Requirements?
PHP 5 >= 5.3.0
MySQL Native Driver (mysqlnd) - Needed for mysqli_stmt::get_result.

How do I know if my server support mysqlnd?
In your admin, go to Tools => Server info
Here you should find a section called mysqlnd.


Support Thread
http://forums.oscommerce.com/topic/397047-mysqli-prepared-statement-automator/

Legend:  Download   Report

Expand All / Collapse All

MySQLi Prepared Statement Automator shopperPS 30 May 2014  

!! Achtung !!

- This Modification might break your store in many unpredictable and possibly agonizing ways. It requires thoroughly testing before you implement it in a live store.

- I have tested it without any errors in both Catalog & Admin side of osCommerce 2.3.3.4. But I haven’t tested every single possible query in every possible language so I leave the testing to you.
Feeling lucky? Well, then go ahead and start using it. Report any problems to the Support thread!


What is $this?
This is a modification to the database functions with the purpose of ”automatically” converting all the queries to MySQLi Prepared Statements using regex pattern and type definition detection.

It will be successful in most (or all) cases, but if the regex fails or the query doesn’t have any parameters, then the database will be queried with a direct (Old School) query.

Why do I need prepared statements?
Prepared Statements are very important for web application security, as they protect from SQL injection. Using Prepared Statements you do not have to escape strings before inserting them in Database.

There is of course a lot more you can do with prepared statements, but this modification will be more like a stopgap until osCommerce natively uses Prepared Statements. (Who knows? Maybe one day it will?)

Requirements?
PHP 5 >= 5.3.0
MySQL Native Driver (mysqlnd) - Needed for mysqli_stmt::get_result.

How do I know if my server support mysqlnd?
In your admin, go to Tools => Server info
Here you should find a section called mysqlnd.


Support Thread
http://forums.oscommerce.com/topic/397047-mysqli-prepared-statement-automator/