I typically do something like this:

$data_sql = mysql_real_escape_string($data, $connection);
$query = "insert into data(data) values('$data_sql')";
$insert = mysql_query($query, $connection);
if (!$insert){
  trigger_error(mysql_error($connection), E_USER_ERROR);

My custom error handler logs the mysql error, and displays a nice
generic "Something went wrong. Please try again or contact us" message
to the user, wrapped in the page layout, and then exits.

I've just noticed that while the function signature says:
string mysql_real_escape_string( ...)

The docs say it could return FALSE in case of error.

I'm not real sure what all could cause a FALSE return.

Obviously, if the database server/process/chipmunk has DIED just
before the call to mysql_real_escape_string, I'll get FALSE back.

If the input string is just too whack for the function to parse, could
I get FALSE, and then I'd be inserting junk into the DB?

Or is it possible that the function returns FALSE for what is
obviously a hack attempt?

I guess I'm asking if anybody adds a line like:

if ($data_sql === false){
  trigger_error(mysql_error($connection), E_USER_ERROR);

Or is that not really going to do anything useful/better than what I
already have?

Some people ask for gifts here.
I just want you to buy an Indie CD for yourself:

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to