> I typically do something like this:
> $data_sql = mysql_real_escape_string($data, $connection);
> $query = "insert into data(data) values('$data_sql')";
> $insert = mysql_query($query, $connection);
> if (!$insert){
>  trigger_error(mysql_error($connection), E_USER_ERROR);
> }
> My custom error handler logs the mysql error, and displays a nice
> generic "Something went wrong. Please try again or contact us" message
> to the user, wrapped in the page layout, and then exits.
> I've just noticed that while the function signature says:
> string mysql_real_escape_string( ...)
> The docs say it could return FALSE in case of error.
> I'm not real sure what all could cause a FALSE return.
> Obviously, if the database server/process/chipmunk has DIED just
> before the call to mysql_real_escape_string, I'll get FALSE back.
> If the input string is just too whack for the function to parse, could
> I get FALSE, and then I'd be inserting junk into the DB?
> Or is it possible that the function returns FALSE for what is
> obviously a hack attempt?
> I guess I'm asking if anybody adds a line like:
> if ($data_sql === false){
>  trigger_error(mysql_error($connection), E_USER_ERROR);
> }
> Or is that not really going to do anything useful/better than what I
> already have?

yes you could add that condition and it would be helpful if you also
include the value of $data in addtion to mysql_error so you can
examine and figure out what cause it to return FALSE.

also, php manual says this:
mysql_query() will also fail and return FALSE if the user does not
have permission to access the table(s) referenced by the query.

Free tips, tutorials, innovative tools and techniques useful for
building and improving web sites.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to