On Tue, 2009-10-20 at 14:58 +0200, Dotan Cohen wrote:

> > Yes, the mysql_real_escape_string() function uses the databases character 
> > encoding to determine how to encode the
> > string, whereas the older deprecated version mysql_escape_string() required 
> > no connection as it always assumed
> > Latin-1 (as far as I know)
> Is there such a function that always assumes UTF-8? That's what it
> always will be.
> > The data itself only needs to be sanitised just prior to being inserted 
> > into the DB anyway, it
> > shouldn't be used to validate data in any way, there are functions 
> > specifically for that. To me, it just seems that the logic
> > of the script is flawed if you require the data to be sanitised before a 
> > connection has been made to the DB.
> >
> I am not requiring the data to be sanitised before a connection has
> been made to the DB. The function that calls
> mysql_real_escape_string() is in an include file of commonly-reused
> functions. Scripts that connect to databases and scripts that do not
> connect to databases include this file.
> To clarify, the include file contains these funtions:
> function clean_mysql ($dirty)
> function clean_html ($dirty)
> function make_paginated_links_menu ($pages, $difference)
> function obfuscate_email_address ($address)
> Not all of the  functions are used in all scripts, however, this file
> of reusable functions is included in all of them. Only the clean_mysql
> function gives me trouble because it calls mysql_real_escape_string().
> --
> Dotan Cohen
> http://what-is-what.com
> http://gibberish.co.il

No, and you clearly missed the point about that function being pretty
much dead anyway.

You mentioned also in your last email that you would make a DB
connection if none existed. That should be very easy if you read the
page on mysql_real_escape_string()

If says:

Returns the escaped string, or FALSE on error.

So all you have to do, is have warnings turned off (as it generates an
E_WARNING if you have no active connection) and then look at the return
value of a call to the function:

if(mysql_real_escape_string($variable) === false)
    // create a default DB connection


Reply via email to