How to disable highlighting for SQL code in phpstorm? - phpstorm

How to disable highlighting for SQL code in phpstorm ?
i ever disabled all sql inspection..but color and fonts rules continue to overight
my php string color rules .
Here is an Exemple for what i want to achieve :
$var_php = " all text here is red , SELECT * and whatever sql code is in red too " ;

SQL Language is automatically injected in strings that contain SQL code (which are detected by the typical patterns, e.g. select xx from etc). It also injected in HEREDOC/NOWDOC if you use special label (SQL).
You can disable these (selected on the screenshot below) and any other unwanted injection rules or create your own at Settings/Preferences | Editor | Language Injections.
P.S. Since you do not need any SQL/DB support at all, you may just disable SQL/database support plugins completely.
If you do like such injections in general but just do not want them in a specific place only (e.g. because of the false positive match) then you can force plain text in that string. For example:
$str = /** #lang Text */ 'Select all entries from my cool database';
Please note that such comment must be placed just before the actual string (so it can be used in function call params or alike), not before the whole variable assignment/statement like ordinary PHPDoc comments.
P.S. The same is possible other way around: force SQL in some string that is not autodetected by Language Injection rules (e.g. when string is split into concatenated bits or uses unknown/unexpected sequence/syntax).

You can disable it while leaving other SQL highlighting / inspections alone by creating a new IntelliLang injection which specifically does not match DQL. I used the presence of the : character. This will prevent the IDE from highlighting DQL, and also marking it as error or reformatting it incorrectly.
I've created a Gist with instructions here:
https://gist.github.com/willemnviljoen/d20ad8ad0cc365a7e80744328246610f

Usually PHPstorm does a pretty good job of deciding when SQL string literals should be inspected as SQL code. For individual cases where it gets it wrong, the most "proper" way to disable inspection for a single line is probably the PHPDoc comment mentioned in another answer, like:
$str = /** #lang Text */ 'Select the answer from the list';
But that seems messy to me. Luckily, you can trick PHPstorm pretty easily, as it seems to ignore the string if the first word in a "sentence" is not a SQL keyword (SELECT/UPDATE etc). So a simple (though a bit more hackish) way is to just split the string, like:
$str = 'Select'.' the answer from the list';

Related

Need to remove legacy shortcodes w/ variable content from WordPress pages using MySQL

I have many pages (posts) in a WP site with legacy short code that needs to be removed and cannot accomplish what I need using WordPress find/replace plug-ins - so I'm turning to MySQL queries.
The shortcodes to be removed all follow the same pattern: "[nivo... (variable content) .../nivo]
I need to remove the entire nivo shortcode and ONLY the nivo shortcode because other shortcodes exist on some pages.
I found something very close to what I think I need, and modified the obvious parameters for this particular application as follows...
UPDATE `post_content`
REPLACE(txt, SUBSTRING(txt, LOCATE('[nivo', txt), LENGTH(txt) - LOCATE('nivo]', REVERSE(txt)) - LOCATE('nivo]', txt) + 10), '')
WHERE txt LIKE '%(%)%'
That ^^^ is accepted in the SQL query window (no stop signs) but returns a #1064 error when executed.
Ideally I would like to TEST this first on a specific post ID just to be sure it's really catching everything but I couldn't figure out how to write that into the query.
I know VERY little about MySQL (I'm a designer) but I have DB backups ready for rollback just in case.
Help would be greatly appreciated.
The key is that you want to use a plugin or tool that allows you to use regex (regular expressions). I have used this Php tool, you just put it in your public_html and then access the path via a web browser: https://interconnectit.com/search-and-replace-for-wordpress-databases/
Just use a little regex in the Php tool or find a find and replace plugin that allows you to use regex. It would look something like this:
\[nivo.*?/nivo\]
\ means escaping a character, since the bracket has a special meaning in regex.
. means any character
* means any number of characters
? means 0 or more
.*? together means anything or nothing
For reference (and probably a better answer):
PHP - Remove Shortcodes and Content in between with Regex Pattern

MySQL find/replace with a unique string inside

not sure how far I'm going to get with this, but I'm going through a database removing certain bits and pieces in preparation for a conversion to different software.
I'm struggling with the image tags as on the site they currently look like
[img:<string>]<image url>[/img:<string>]
those strings are in another field called bbcode_uid
The query I'm running to make the changes so far is
UPDATE phpbb_posts SET post_text = REPLACE(post_text, '[img:]', '');
So my actual question, is there any way of pulling in each string from bbcode_uid inside of that SQL query so that I don't have to run the same command 10,000+ times, changing the unique string every time.
Alternatively could I include something inside [img:] to also include the next 8 characters, whatever they may be, as that is the length of the string that is used.
Hoping to save time with this, otherwise I might have to think of another way of doing it.
As requested.
The text I wish to replace would be
[img:1nynnywx]http://i.imgur.com/Tgfrd3x.jpg[/img:1nynnywx]
I want to end up with just
http://i.imgur.com/Tgfrd3x.jpg
Just removing the code around the URL, however each post_text has a different string which is contained inside bbcode_uid.
Method 1
LIB_MYSQLUDF_PREG
If you want more regular expression power in your database, you can consider using LIB_MYSQLUDF_PREG. This is an open source library of MySQL user functions that imports the PCRE library. LIB_MYSQLUDF_PREG is delivered in source code form only. To use it, you'll need to be able to compile it and install it into your MySQL server. Installing this library does not change MySQL's built-in regex support in any way. It merely makes the following additional functions available:
PREG_CAPTURE extracts a regex match from a string. PREG_POSITION returns the position at which a regular expression matches a string. PREG_REPLACE performs a search-and-replace on a string. PREG_RLIKE tests whether a regex matches a string.
All these functions take a regular expression as their first parameter. This regular expression must be formatted like a Perl regular expression operator. E.g. to test if regex matches the subject case insensitively, you'd use the MySQL code PREG_RLIKE('/regex/i', subject). This is similar to PHP's preg functions, which also require the extra // delimiters for regular expressions inside the PHP string
you can refer this link :github.com/hholzgra/mysql-udf-regexp
Method 2
Use php program, fetch records one by one , use php preg_replace
refer : www.php.net/preg_replace
reference:http://www.online-ebooks.info/article/MySql_Regular_Expression_Replace.html
You might be able to do this with substring_index().
The following will work on your example:
select substring_index(substring_index(post_text, '[/img:', 1), ']', -1)

mysql_query syntax variation: at, quotes and curly braces

I am learning MySQL/php through online tutorials and have found the techniques and syntax different from different sources.
In one tutorial, I enter data (from an HTML form) like this:
$table = "ENTRIES";
$sql = "INSERT INTO $table SET
TITLE = '$_POST[title]',
SUMMARY = '$_POST[summary]',
CONTENT = '$_POST[content]'";
$query = #mysql_query($sql);
And in another, like this:
mysql_query("
INSERT INTO `posts` SET
`title` = '{$_POST['title']}',
`contents` = '{$_POST['post']}'
");}
They both work, and I understand the different variable arrangements. BUT I have the following questions, probably all related. (I gather that #mysql_query suppresses error messages, SO if that is what is going on here, can you please explain how it is functioning and what is actually proper syntax?)
1) In the first example, in #mysql_query(), it doesn't matter if I use ("") or ('') ... but in the second example, in mysql_query(), it breaks if I use (''). In fact it tells me that there is an unexpected {, which leads to my next question:
2) What is the deal with the {} in the second example? They don't seem to be doing anything, but it breaks without them.
3) In the first example, is breaks if I enclose title, summary, and content in single quotes ''. In the second, with 'title' and 'post', it breaks if I don't!
Any explanations or references/links comprehensible to a beginner would be much appreciated!
Run far away from this tutorial and fine one that uses PDO / mysqli and explains how to properly parameterize queries.
Anyway, your questions are PHP specific and have to do with variable interpolation in strings. In quoted strings (") variables are interpolated, and arrays can be accessed via:
"{$var['value']}"
"$var[value]"
Either one is valid ... they function identically and it's up to personal preference which one you should use.
mysql_query takes a string as an argument, so it actually makes no difference how you build it. Both of the above are valid. Using # makes no difference -- in fact, you shouldn't use it, and you should properly handle possible errors and check mysql_error

mysqli + ckeditor = escapes and breaking html

So I have been developing a little system in which, at a point, the user can type in some HTML into ckeditor, that HTML is then stored in a database (it's kind of a microCMS).
The problem is When using Mysqli, It inserts escape characters before and after " and ' in order to stop injection, logically, which breaks loads of HTML code.
for example
becomes
or somthing close to that, which breaks the code
Is there a way i can disable the injection prevention, or input it into the database another way ? Or mabi replace the /" when it is being taken from the database ?
Thanks
-jman6495
EDIT :
I have resolved the problem
I replaced the /" by " using the php str_replace function.
here's the code :
$pagecontent = str_replace('\"','"',$pagecontent);
echo $pagecontent;
thanks anyway
-jman6495
If you're seeing these characters when you fetch data back out you're somehow double-escaping the content. Check that you're only escaping it once, and doing it with the placeholder and not mysql_real_escape_string. You haven't fixed the problem. You've un-done the damage of a serious bug.
The purpose of SQL escaping is to insert the data correctly and reliably. For instance, O'Reilly should be O''Reilly for MySQL. The actual content in the database should be O'Reilly regardless of quoting.

What is the best solution for SQL injection security on MySQL?

What is the best function to run my strings through to ensure that MySQL injection is impossible?
Also, will it require running it through another function on the way out to make it display correctly?
See also
Are Parameters really enough to prevent Sql injections?
C# Parameterized Query MySQL with in clause
Can I protect against SQL Injection by escaping single-quote and
surrounding user input with
single-quotes?
Parameterized Queries
A parameter function.
Humor aside, I mean don't dynamically execute user-entered content as SQL if you can at all avoid it. Pass everything as parameters, and reference them from your query instead. See Chad Birch's answer for a good link explaining this.
As Chad says, always use parameterized queries to avoid SQL injection.
To answer the second half of your question, if your output is to a web page then always escape any special HTML characters (&, <, >) to protect against script injection.
Add to parameterized queries the use of input validation within the application. Never trust that the input is clean. Check it. For instance, if it's supposed to be an integer, check to make sure it converts to a numeric value without issue.
In PHP the best way is to use HTML escaping on strings.
It turns special characters into HTML compliant characters.
Example: " " (space) transforms into "%20".