Escape function?

Printable View

Jun 13th, 2008, 09:08 AM
high6

Escape function?

Is there a good escape function or do I have to make one? The mysql escape function, I don't think escapes Char().
Jun 13th, 2008, 09:57 AM
RudiVisser

Re: Escape function?

I don't understand what you mean by it doesn't escape Char(), if you mean Chr() what exactly are you trying to escape??

You can use addslashes, stripslashes, htmlentities, urlencode and mysql_real_escape_string for escapes, of course not all at the same time.

If you're storing funny characters in a database it may be best to base64_encode() them so you can decode when needed.
Jun 14th, 2008, 05:01 PM
DigiRev

Re: Escape function?

I use this for any data that is provided by user input that will go into a query...

PHP Code:

function escape_data($param1, $param2) { if(ini_get('magic_quotes_gpc')) { $data = stripslashes($param1); } else { $data = $param1; } return mysql_real_escape_string($data, $param2); }

You pass the data you want to 'escape' to the first argument, and the connection to the database to the 2nd argument, which is whatever is returned from the mysql_connect() function.

(I more-or-less got this from the book I learned PHP from, so if there is a better way then I am open to suggestions...)
Jun 14th, 2008, 09:46 PM
penagate

Re: Escape function?

Best method is not to escape. Use parameterised queries instead, and a library that supports them. (PDO, MDB2, mysqli, et al.)
Jun 14th, 2008, 11:52 PM
high6

Re: Escape function?

Quote:

Originally Posted by penagate

Best method is not to escape. Use parameterised queries instead, and a library that supports them. (PDO, MDB2, mysqli, et al.)

?

Quote:

Originally Posted by RudiVisser

I don't understand what you mean by it doesn't escape Char(), if you mean Chr() what exactly are you trying to escape??

You can use addslashes, stripslashes, htmlentities, urlencode and mysql_real_escape_string for escapes, of course not all at the same time.

If you're storing funny characters in a database it may be best to base64_encode() them so you can decode when needed.

Just everything that can be used to exploit the sql. Char(39) is a single quote and doesn't the mysql parse it as such(causing room for exploitation)?
Jun 15th, 2008, 07:03 AM
RudiVisser

Re: Escape function?

For prepared statements take a read here: http://www.databasejournal.com/featu...le.php/3599166

I'm pretty sure there *used* to be a bug in mysql_real_escape_string where it would miss some characters but it was fixed in PHP 5.something. Just make sure you're running the latest version of PHP and you should be fine.
Jun 15th, 2008, 09:12 AM
penagate

Re: Escape function?

Prepared statements and parameters are actually two different concepts, although they often go hand-in-hand.
Jun 15th, 2008, 06:09 PM
high6

Re: Escape function?

Quote:

Originally Posted by RudiVisser

For prepared statements take a read here: http://www.databasejournal.com/featu...le.php/3599166

I'm pretty sure there *used* to be a bug in mysql_real_escape_string where it would miss some characters but it was fixed in PHP 5.something. Just make sure you're running the latest version of PHP and you should be fine.

Where can I get the source for mysql_real_escape_string?
Jun 15th, 2008, 06:10 PM
RudiVisser

Re: Escape function?

It's a built in function.