Is there a good escape function or do I have to make one? The mysql escape function, I don't think escapes Char().

I don't understand what you mean by it doesn't escape Char(), if you mean Chr() what exactly are you trying to escape??

You can use addslashes, stripslashes, htmlentities, urlencode and mysql_real_escape_string for escapes, of course not all at the same time.

If you're storing funny characters in a database it may be best to base64_encode() them so you can decode when needed.

I use this for any data that is provided by user input that will go into a query...

function escape_data($param1, $param2) {
if(ini_get('magic_quotes_gpc')) {
$data = stripslashes($param1);
} else {
$data = $param1;
}

return mysql_real_escape_string($data, $param2);
}

You pass the data you want to 'escape' to the first argument, and the connection to the database to the 2nd argument, which is whatever is returned from the mysql_connect() function.

(I more-or-less got this from the book I learned PHP from, so if there is a better way then I am open to suggestions...)

Best method is not to escape. Use parameterised queries instead, and a library that supports them. (PDO, MDB2, mysqli, et al.)

Best method is not to escape. Use parameterised queries instead, and a library that supports them. (PDO, MDB2, mysqli, et al.)

?

I don't understand what you mean by it doesn't escape Char(), if you mean Chr() what exactly are you trying to escape??

You can use addslashes, stripslashes, htmlentities, urlencode and mysql_real_escape_string for escapes, of course not all at the same time.

If you're storing funny characters in a database it may be best to base64_encode() them so you can decode when needed.

Just everything that can be used to exploit the sql. Char(39) is a single quote and doesn't the mysql parse it as such(causing room for exploitation)?

For prepared statements take a read here: http://www.databasejournal.com/features/mysql/article.php/3599166

I'm pretty sure there *used* to be a bug in mysql_real_escape_string where it would miss some characters but it was fixed in PHP 5.something. Just make sure you're running the latest version of PHP and you should be fine.

Prepared statements and parameters are actually two different concepts, although they often go hand-in-hand.

For prepared statements take a read here: http://www.databasejournal.com/features/mysql/article.php/3599166

I'm pretty sure there *used* to be a bug in mysql_real_escape_string where it would miss some characters but it was fixed in PHP 5.something. Just make sure you're running the latest version of PHP and you should be fine.

Where can I get the source for mysql_real_escape_string?

It's a built in function.