On Tue, 20 Oct 2009 14:58:32 +0200, Dotan Cohen wrote:

>> Yes, the mysql_real_escape_string() function uses the databases
>> character encoding to determine how to encode the string, whereas the
>> older deprecated version mysql_escape_string() required no connection
>> as it always assumed Latin-1 (as far as I know)
> Is there such a function that always assumes UTF-8? That's what it
> always will be.

   If you're sure that all your data is UTF-8, and that
all user-supplied data is *actually valid* UTF-8 (and
not deliberately or accidentally malformed), then
mysql_escape_string() should be just fine [1].

   It should be fine for any character set that leave
ASCII characters unchanged and do not contain any
characters that could (partially) be mistaken for one of
the "dangerous" ASCII characters.

   Of course, mysql_escape_string() is deprecated and will
be removed in PHP6 [2], in which case you could fix all
the bugs in the hand-rolled function posted earlier and
use that.

> I am not requiring the data to be sanitised before a connection has been
> made to the DB. The function that calls mysql_real_escape_string() is in
> an include file of commonly-reused functions. Scripts that connect to
> databases and scripts that do not connect to databases include this
> file. 
> To clarify, the include file contains these funtions: function
> clean_mysql ($dirty) function clean_html ($dirty) function
> make_paginated_links_menu ($pages, $difference) function
> obfuscate_email_address ($address) 

*Or*, you could do the *obvious* thing [3]:

  function clean_mysql ($dirty, $connection) { ... }

But then, you'll end up having to rewrite a lot of
function calls [4].


[1]: Unless it's not.
[2]: Unless it isn't.
[3]: Well, one of them anyway.
[4]: Unless you don't.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to