2014-02-16, 07:36 PM
In inc/db_mysql.php i still see mysql_connect() syntax like mysql_fetch_array() in there. Is there a way to check if Mybb is using my servers PDO module, and not old mysql ?
2014-02-16, 07:36 PM
2014-02-16, 08:04 PM
MyBB's core database classes don't use PDO unfortunately. You should use the MySQLi database adapter (using mysqli_* functions) though as it's at least not deprecated (unlike the mysql_* functions).
2014-02-16, 08:20 PM
(2014-02-16, 08:04 PM)Euan T Wrote: [ -> ]MyBB's core database classes don't use PDO unfortunately. You should use the MySQLi database adapter (using mysqli_* functions) though as it's at least not deprecated (unlike the mysql_* functions).
What ? Are you kidding? Why dont Mybb use PDO. I see inc/db_pdo.php there. Is that just there for fun ?
2014-02-16, 08:34 PM
(2014-02-16, 08:20 PM)KLOX94 Wrote: [ -> ]Why dont Mybb use PDO.It was simply not available when MyBB 1.x was initially developed. There is actually no real reason to switch from mysqli to PDO as it is still maintained and recommend by PHP team: http://www.php.net/manual/en/mysqlinfo.api.choosing.php
(2014-02-16, 08:20 PM)KLOX94 Wrote: [ -> ]Is that just there for fun ?It is used for SQLite.
2014-02-16, 08:35 PM
PDO is the engine used to connect to SQLite. MyBB doesn't use PDO because there isn't a suitable time to change it yet.
2014-02-16, 08:35 PM
(2014-02-16, 08:20 PM)KLOX94 Wrote: [ -> ]Sounds like you might be able to get it to work with some core edits then.(2014-02-16, 08:04 PM)Euan T Wrote: [ -> ]MyBB's core database classes don't use PDO unfortunately. You should use the MySQLi database adapter (using mysqli_* functions) though as it's at least not deprecated (unlike the mysql_* functions).What ? Are you kidding? Why dont Mybb use PDO. I see inc/db_pdo.php there. Is that just there for fun ?
Hopefully, they'll enable it as an option in 1.8
require_once MYBB_ROOT."inc/db_".$config['database']['type'].".php";
switch($config['database']['type'])
{
case "sqlite":
$db = new DB_SQLite;
break;
case "pgsql":
$db = new DB_PgSQL;
break;
case "mysqli":
$db = new DB_MySQLi;
break;
default:
$db = new DB_MySQL;
}Edit: You might also have to mod the class to add some of the utility methods which MyBB uses and some other things like table prefixes. MyBB is moving in the direction of the community helping so, you might be able to get those changes into the core.
2014-02-16, 08:55 PM
I did start writing a PDO mysql adapter for MyBB, but it is in no way complete or even tested. https://github.com/euantorano/MyBB-PDO-MySQL
2014-02-16, 09:06 PM
I'm used to prepared statement of pdo and i dont wana change the core database methods in Mybb. When i have to upgrade the forum i have to change all that again. This sucks! Any idiot can play around with sql queries now via url modification. When will Mybb ever get up to date with the times!
2014-02-16, 09:09 PM
(2014-02-16, 09:06 PM)KLOX94 Wrote: [ -> ]Any idiot can play around with sql queries now via url modification. When will Mybb ever get up to date with the times!
Only if you're a sloppy developer. If you don't escape your inputs then yes, people can modify your queries.
2014-02-16, 09:19 PM
(2014-02-16, 09:09 PM)Nathan Malcolm Wrote: [ -> ](2014-02-16, 09:06 PM)KLOX94 Wrote: [ -> ]Any idiot can play around with sql queries now via url modification. When will Mybb ever get up to date with the times!
Only if you're a sloppy developer. If you don't escape your inputs then yes, people can modify your queries.
With what ? mysql_real_escape... ? I already use integer values to confirm form input from the user. With a simple (int) and is_numeric() i can verify that. But the strings i'm used to putting them in a prepare bind PDO statement. This is wrong, i thought atleast mybb autodetected the pdo module but that was a failure.