|
|
Posted by Oli Filth on 11/07/16 11:31
frizzle said the following on 07/11/2005 15:34:
> Thanks Oli,
>
> I don't completely understand your answers:
> If i * always * use the mysql_real_escape_string() am i safe?
Yes, if all you're doing is taking values from users and putting them
into appropriate places in an INSERT query, e.g.:
INSERT INTO table (name, age, class) VALUES ('XXX', 'YYY', 'ZZZ')
If you're allowing more complex interaction, e.g.
SELECT FROM table XXXXXXXXXX
where the user is allowed to specify the condition string, then
obviously mysql_real_escape_string() is of no use here, and you're very
much less than safe.
> And with an insert statement, does it matter what kind of quotes i use
> for the query?
> Like
> "Select * From 'bla' "
> or
> 'Select * From \'bla\' ' ?
>
If you express a string in PHP code as:
$s = "This is 'some' text";
or
$s = 'This is \'some\' text';
the internal representation of $s will be:
This is 'some' text
in both cases. If you were then to do SomeFunction($s), it is this
internal representation that is used; how the string was originally
represented in code is no longer relevant.
Remember, PHP escaping is entirely separate from MySQL escaping. PHP
escaping is necessary to represent a string in PHP code, whereas MySQL
escaping is necessary to represent string-based data in a query string.
e.g. To insert:
This is 'some' text
into a MySQL database, the query string should be:
INSERT INTO table (field) VALUES ('This is \'some\' text')
and to represent that query string in literal PHP code, it should be:
"INSERT INTO table (field) VALUES ('This is \\'some\\' text')"
or:
'INSERT INTO table (field) VALUES (\'This is \\\'some\\\' text\')'
or:
"INSERT INTO table (field) VALUES ('"
. mysql_real_escape_string("This is \'some\' text")
. "')"
--
Oli
Navigation:
[Reply to this message]
|