| Re: PHP mysql_excape but need to search for those items [message #178378 is a reply to message #178358] |
Tue, 12 June 2012 07:38  |
alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma:
|
Senior Member |
|
|
El 11/06/2012 17:34, mrgushi escribió/wrote:
> First time poster here. I'm working on an App that needs to be able to
> querry my DB via PHP in particular those items such as periods commas
> slashes and things that mysql_real_escape_string cleans out to prevent
> SQL injection attacks. How would you recommend doing that securely? My
> SQL login rights in the script are read only is that enough?
>
> I was thinking of using JS to modify the querry before they hit the
> mysql_real_escape_string such that I have a custom DB lookup for each
> major punctuation... A period = punc1 A comma = punc2 etc.... Any
> Alternate thoughts would be appreciated.
> THX
>
> PS- My app is a English Translation guide to Braille so I need to be
> able to lookup punctuation in the DB somehow.
You seem to think that mysql_real_escape_string() strips out certain
characters. Nope, it doesn't. A database library that corrupts data by
design would be pretty unreliable!
Just run this query in your favourite MySQL client (get one if you don't
have any):
SELECT 'O\'Brian'
Does it print a backslash? Sure it doesn't. The backslash is just a SQL
syntax element, just like the single quotes (which aren't printed either).
Whatever, if I was to write an app from scratch I wouldn't stick to the
legacy MySQL extension. Needing to escape all parameters one by one is
pretty annoying. Try out a library that offers prepared statements, such
as MySQLi or PDO.
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]