| Re: store backslash in mysql database [message #170730 is a reply to message #170729] |
Wed, 17 November 2010 11:28   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 11/17/2010 5:53 AM, Helmut Chang wrote:
> Am 14.11.2010 20:08, schrieb Jerry Stuckle:
>> On 11/13/2010 3:41 AM, Helmut Chang wrote:
>>> Am 13.11.2010 04:28, schrieb Jerry Stuckle:
>
> That's, what you wrote:
>
>>>> mysql_real_escape_string() won't change backslashes.
>
> That's, what the manual says:
>
>>> | mysql_real_escape_string() calls MySQL's library function
>>> | mysql_real_escape_string, which prepends backslashes to the following
>>> | characters: \x00, \n, \r, \, ', " and \x1a.
>
> So the function escapes a backslash.
>
A single backslash, I agreed. But not all escaped characters.
>> You're correct on the specific case of "\n" and I am incorrect. However,
>> please read more closely. It does NOT handle every other instance of a
>> backslash - it doesn't, for instance, handle \t or \b, both of which are
>> valid control characters. In fact, it only handles 5 specific cases.
>
> Sorry, here you confuse the *string* "\t" with the *Tab*-Character,
> which can be expressed in PHP by writing:
>
> $data = "A\tB";
>
> This string internally contains no backslash. It contains three
> characters. You wrote:
>
> | mysql_real_escape_string() won't change backslashes. It has no way
> | to know if, for instance, "\n" is a newline character or a backslash |
> and an n.
>
> And I wrote, that it does. And it's irrelevant, that
> mysql_real_escape_string() does not escape a tab-character, because
> there's no need to. But it must escape a backslash-character, because
> mysql itself treats a backslash also as an escaping character:
>
> INSERT INTO foo (bar) VALUES 'A\tB';
> INSERT INTO foo (bar) VALUES 'A B';
>
> are equivalent.
>
> But if you want to insert a string "\t", the backslash must be escaped:
>
> INSERT INTO foo (bar) VALUES 'A\\tB';
>
> Here's a script:
>
> <?php
> $string1 = "A B";
> $string2 = "A\tB";
> $string3 = 'A\tB';
>
> var_dump($string1);
> var_dump($string2);
> var_dump($string3);
>
> $conn = mysql_connect('localhost', 'root', 'xxx');
>
> $escapedString1 = mysql_real_escape_string($string1, $conn);
> $escapedString2 = mysql_real_escape_string($string2, $conn);
> $escapedString3 = mysql_real_escape_string($string3, $conn);
>
> var_dump($escapedString1);
> var_dump($escapedString2);
> var_dump($escapedString3);
>
> mysql_select_db('test');
>
> $query = "INSERT INTO CharTest (CharColumn) VALUES ('%s')";
>
> mysql_query(sprintf($query, $escapedString1));
> mysql_query(sprintf($query, $escapedString2));
> mysql_query(sprintf($query, $escapedString3));
>
> $result = mysql_query('SELECT CharColumn FROM CharTest');
> while ($row = mysql_fetch_assoc($result))
> var_dump($row['CharColumn']);
>
> mysql_free_result($result);
> mysql_close($conn);
> ?>
>
>
I'm not confusing anything. You're making the assumption that the
string was created in PHP. I am not - I've seen before what happens
when a string incorrectly created by an extension caused problems in PHP.
There is NO indication that the encryption routine was written in PHP or
some other language; if it was another language, there can be other
problems which mysql_real_escape_string() cannot fix - because it is
depending on the string being created correctly in PHP.
And BTW - I figured out the difference between a tab character and the
string backslash-t about 25 years ago, when I was working with C.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]