So, actually taking a minute to read up on addcslashes(), it is a rather handy
little function.
Taking the list of characters that mysql_real_escape_string() says it escapes:
http://us3.php.net/mysql_real_escape_string
Which it lists: \x00, \n, \r, \, ', and \x1a
\0 = \x0
\10 = \n
Dotan Cohen wrote:
So far as I understand mysql_real_escape_string() was invented because
addslashes() is not adequate.
Correct, addslashes() works fine for latin1 (single byte encoding) but
does not work properly when used with a multibyte encoded string.
That is most likely the reason why
] Sanitizing potential MySQL strings with no database
connection
if(@mysql_real_escape_string($variable) === false)
Perfect! The @ symbol suppresses the error and I can structure the
code according to whether or not there is a connection.
Thank you!
--
Dotan Cohen
http://what
Dotan Cohen wrote:
So, actually taking a minute to read up on addcslashes(), it is a rather handy
little function.
Taking the list of characters that mysql_real_escape_string() says it escapes:
http://us3.php.net/mysql_real_escape_string
Which it lists: \x00, \n, \r, \, ', and \x1a
\0 =
Jim Lucas wrote:
Dotan Cohen wrote:
So, actually taking a minute to read up on addcslashes(), it is a
rather handy
little function.
Taking the list of characters that mysql_real_escape_string() says it
escapes:
http://us3.php.net/mysql_real_escape_string
Which it lists: \x00, \n, \r, \,
If you look a little closer, you will see that I am not using addslashes().
Rather, I am using addcslashes(). This allows to specify the characters
that I want escaped, instead of the default assumed characters from
addslashes().
I do not know which characters to escape.
--
Dotan Cohen
Thinking a little deeper here, you say you are concerned about the character
type, yet you say that it is all assumed UTF-8. Is everything going to be
UTF-8
or something else?
If it is all going to be UTF-8, then the addcslashes() variation above will
work.
It _should_ all be UTF-8 but
Dotan Cohen wrote:
If you look a little closer, you will see that I am not using addslashes().
Rather, I am using addcslashes(). This allows to specify the characters
that I want escaped, instead of the default assumed characters from
addslashes().
I do not know which characters to
On Tue, 2009-10-20 at 12:58 +0200, Dotan Cohen wrote:
Dotan,
You are making this thing harder then it has to be.
All you need is to replicate the escaping of the same characters that
mysql_real_escape_string() escapes. Simply do that. They are listed on the
functions manual page
Dotan,
You are making this thing harder then it has to be.
All you need is to replicate the escaping of the same characters that
mysql_real_escape_string() escapes. Simply do that. They are listed on the
functions manual page on php.net
http://php.net/mysql_real_escape_string
Here is
Your only option might be to do something smart. You can't use the
proper mysql functions without a connection to a database, but you
refuse to connect to a database until after you perform validation...
You do realise you can have several db connections open at one time, so
you could
On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
Your only option might be to do something smart. You can't use the
proper mysql functions without a connection to a database, but you
refuse to connect to a database until after you perform validation...
You do realise you
From: Ashley Sheridan
On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
Your only option might be to do something smart. You can't use
the
proper mysql functions without a connection to a database, but you
refuse to connect to a database until after you perform
validation...
On Tue, 2009-10-20 at 08:43 -0400, Bob McConnell wrote:
From: Ashley Sheridan
On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
Your only option might be to do something smart. You can't use
the
proper mysql functions without a connection to a database, but you
refuse to
Your only option might be to do something smart. You can't use the proper
mysql functions without a connection to a
database, but you refuse to connect to a database until after you perform
validation...
More accurate to say that the file in which the function is stored
does not know if
Yes, the mysql_real_escape_string() function uses the databases character
encoding to determine how to encode the
string, whereas the older deprecated version mysql_escape_string() required
no connection as it always assumed
Latin-1 (as far as I know)
Is there such a function that always
On Tue, 2009-10-20 at 14:58 +0200, Dotan Cohen wrote:
Yes, the mysql_real_escape_string() function uses the databases character
encoding to determine how to encode the
string, whereas the older deprecated version mysql_escape_string() required
no connection as it always assumed
If says:
Returns the escaped string, or FALSE on error.
So all you have to do, is have warnings turned off (as it generates an
E_WARNING if you have no active connection) and then look at the return
value of a call to the function:
if(mysql_real_escape_string($variable) === false)
{
To: a...@ashleysheridan.co.uk; dotanco...@gmail.com
CC: php-general@lists.php.net
Date: Tue, 20 Oct 2009 15:50:52 +0200
Subject: RE: [PHP] Sanitizing potential MySQL strings with no database
connection
If says:
Returns the escaped string, or FALSE on error.
So all you have to do, is have
On Tue, 20 Oct 2009 14:58:32 +0200, Dotan Cohen wrote:
Yes, the mysql_real_escape_string() function uses the databases
character encoding to determine how to encode the string, whereas the
older deprecated version mysql_escape_string() required no connection
as it always assumed Latin-1 (as
On Mon, 19 Oct 2009 15:39:40 -0700, Jim Lucas wrote:
I have no idea if it will work, [...]
Well, you're right so far...
?php
function clean_string($input) {
/**
* Character to escape...
* \x0 \n \r \ ' \x1a
**/
$patterns = array( \x0,
No, and you clearly missed the point about that function being pretty much
dead anyway.
I understand that mysql_escape_string() is depreciated. Asking about
other similar functions does not seem out of line.
You mentioned also in your last email that you would make a DB connection if
2009/10/20 Andrea Giammarchi an_...@hotmail.com:
even better
$error_reporting = error_reporting(0);
if(mysql_real_escape_string($variable) === false)
{
error_reporting($error_reporting);
// create a default DB connection
} else
error_reporting($error_reporting);
Dotan Cohen wrote on 2009-10-20 20:06:
if(mysql_real_escape_string($variable) === false)
{
// create a default DB connection
}
Here, the key seems to be to turn the warning level down, which I do
not have privileges to do on this server. But it fact this seems to be
the key that I was
If you're sure that all your data is UTF-8, and that
all user-supplied data is *actually valid* UTF-8 (and
not deliberately or accidentally malformed), then
mysql_escape_string() should be just fine [1].
I cannot ensure that the users will not be malicious, even if it is
all internal
Dotan Cohen wrote:
2009/10/20 Andrea Giammarchi an_...@hotmail.com:
even better
$error_reporting = error_reporting(0);
if(mysql_real_escape_string($variable) === false)
{
error_reporting($error_reporting);
// create a default DB connection
} else
if(@mysql_real_escape_string($variable) === false)
Perfect! The @ symbol suppresses the error and I can structure the
code according to whether or not there is a connection.
Thank you!
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List
On Tue, 20 Oct 2009 20:04:51 +0200, Nisse Engström wrote:
On Mon, 19 Oct 2009 15:39:40 -0700, Jim Lucas wrote:
/**
* Character to escape...
* \x0 \n \r \ ' \x1a
**/
$patterns = array( \x0, \n, \r, \\, ',\, \x1a);
$replace = array(
Jim Lucas wrote:
Dotan Cohen wrote:
2009/10/19 Kim Madsen php@emax.dk:
Dotan Cohen wrote on 2009-10-18 21:21:
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
- Original Message -
From: Ashley Sheridan a...@ashleysheridan.co.uk
To: Dotan Cohen dotanco...@gmail.com
Cc: Jim Lucas li...@cmsws.com; php-general.
php-general@lists.php.net
Sent: Tuesday, October 20, 2009 4:02 AM
Subject: Re: [PHP] Sanitizing potential MySQL strings with no database
Dotan Cohen wrote on 2009-10-18 21:21:
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
from http://www.php.net/manual/en/function.mysql-connect.php
$link =
2009/10/19 Kim Madsen php@emax.dk:
Dotan Cohen wrote on 2009-10-18 21:21:
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
from
Dotan Cohen wrote:
2009/10/19 Kim Madsen php@emax.dk:
Dotan Cohen wrote on 2009-10-18 21:21:
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
from
Dotan Cohen wrote:
How can I configure mysql_real_escape_string() to _not_ need a
database connection in order to do it's work on a string. I understand
that the function wants a database connection to determine which
charset / encoding is in use, but in my case it will always be UTF-8.
I have
I assumed the reason you wanted to do escape the string so that you could
perform DB operations.
Yes, that is my intention. However, the function is found in an
include file of functions used in many different scripts, each of
which connect to a different database or may not connect to a
Dotan Cohen wrote on 2009-10-18 10:52:
I assumed the reason you wanted to do escape the string so that you could
perform DB operations.
Yes, that is my intention. However, the function is found in an
include file of functions used in many different scripts, each of
which connect to a
test if you have a db connection in the function, if not, skip MRES and
other mysql_ functions?
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
In my
- Original Message
From: Dotan Cohen dotanco...@gmail.com
To: php-general. php-general@lists.php.net
Sent: Fri, October 16, 2009 7:13:41 PM
Subject: [PHP] Sanitizing potential MySQL strings with no database connection
How can I configure mysql_real_escape_string() to _not_ need a
- Original Message
From: Dotan Cohen dotanco...@gmail.com
To: Tommy Pham tommy...@yahoo.com
Cc: php-general. php-general@lists.php.net
Sent: Sat, October 17, 2009 10:59:52 AM
Subject: Re: [PHP] Sanitizing potential MySQL strings with no database
connection
I don't think so
39 matches
Mail list logo