Escape function?

**high6** · Jun 13th, 2008, 09:08 AM

Is there a good escape function or do I have to make one? The mysql escape function, I don't think escapes Char().

**RudiVisser** · Jun 13th, 2008, 09:57 AM

I don't understand what you mean by it doesn't escape Char(), if you mean Chr() what exactly are you trying to escape??

You can use addslashes, stripslashes, htmlentities, urlencode and mysql_real_escape_string for escapes, of course not all at the same time.

If you're storing funny characters in a database it may be best to base64_encode() them so you can decode when needed.

**DigiRev** · Jun 14th, 2008, 05:01 PM

I use this for any data that is provided by user input that will go into a query...

PHP Code:


  function escape_data($param1, $param2) {
    if(ini_get('magic_quotes_gpc')) {
      $data = stripslashes($param1);
    } else {
      $data = $param1;
    }
    
    return mysql_real_escape_string($data, $param2);
  }

You pass the data you want to 'escape' to the first argument, and the connection to the database to the 2nd argument, which is whatever is returned from the mysql_connect() function.

(I more-or-less got this from the book I learned PHP from, so if there is a better way then I am open to suggestions...)

**penagate** · Jun 14th, 2008, 09:46 PM

Best method is not to escape. Use parameterised queries instead, and a library that supports them. (PDO, MDB2, mysqli, et al.)

**high6** · Jun 14th, 2008, 11:52 PM

Originally Posted by penagate

Best method is not to escape. Use parameterised queries instead, and a library that supports them. (PDO, MDB2, mysqli, et al.)

?

Originally Posted by RudiVisser

I don't understand what you mean by it doesn't escape Char(), if you mean Chr() what exactly are you trying to escape??

You can use addslashes, stripslashes, htmlentities, urlencode and mysql_real_escape_string for escapes, of course not all at the same time.

If you're storing funny characters in a database it may be best to base64_encode() them so you can decode when needed.

Just everything that can be used to exploit the sql. Char(39) is a single quote and doesn't the mysql parse it as such(causing room for exploitation)?

**RudiVisser** · Jun 15th, 2008, 07:03 AM

For prepared statements take a read here: http://www.databasejournal.com/featu...le.php/3599166

I'm pretty sure there *used* to be a bug in mysql_real_escape_string where it would miss some characters but it was fixed in PHP 5.something. Just make sure you're running the latest version of PHP and you should be fine.

**penagate** · Jun 15th, 2008, 09:12 AM

Prepared statements and parameters are actually two different concepts, although they often go hand-in-hand.

**high6** · Jun 15th, 2008, 06:09 PM

Originally Posted by RudiVisser

For prepared statements take a read here: http://www.databasejournal.com/featu...le.php/3599166

I'm pretty sure there *used* to be a bug in mysql_real_escape_string where it would miss some characters but it was fixed in PHP 5.something. Just make sure you're running the latest version of PHP and you should be fine.

Where can I get the source for mysql_real_escape_string?

**RudiVisser** · Jun 15th, 2008, 06:10 PM

It's a built in function.

Thread: Escape function?

Thread Tools

Display

Escape function?

Re: Escape function?

Re: Escape function?

Re: Escape function?

Re: Escape function?

Re: Escape function?

Re: Escape function?

Re: Escape function?

Re: Escape function?

Posting Permissions