Saturday, December 1, 2018

mysql - Safe alternative to mysql_real_escape_string? (PHP)



I am passing a variable to a function that executes a query




The MySQL connection only occurs inside the function, and closes inside the function



I want to be able to safely escape strings BEFORE I send them to the function



I can't use mysql_real_escape_string because it requires a MySQL connection (which is only being made inside the function)



I know the simple answer would be to escape strings inside the function, but I cannot do this because I need to send some escaped, and some non-escaped parts of a string



For example, I need to run the function like this:




myquery("'" . escape_me("My string") . "'");


Notice I am sending two apostrophe's-- unescaped, with an escaped string inside. For this reason I can't do a blanket mysql_real_escape_string on arguments inside of myquery function.



I found the following code, suggesting that I could use it as an alternative to mysql_real_escape_string:



// escape characters
function escape_me($value) {

    $return = '';
    for($i = 0; $i < strlen($value); ++$i) {
        $char = $value[$i];
        $ord = ord($char);
        if($char !== "'" && $char !== "\"" && $char !== '\\' && $ord >= 32 && $ord <= 126)
            $return .= $char;
        else
            $return .= '\\x' . dechex($ord);
    }
    return $return;

}


I do not know if this function is safe from multibyte attacks, but I think I also need to undo the function every time I query



For example, inputting:
Testing 3's "OK" is turned into Testing 3x27s x22OKx22 in the database



So my main question is:
Do you know if there is another function I can use as an alternative to mysql_real_escape_string that will safely escape characters?



Answer




  • It's terrible idea to connect every time you're calling this function. A good planned application wouldn't have such odd limitation.

  • you can use substitutions, like this
    myquery("SELECT * FROM table WHERE id = %s","My string");


  • You can use another way of substitutions, a modern one: prepared statements. it will be described in numerous other answers.




as noone posted it yet, here is rough example



function fetchAll(){

 $args = func_get_args();
 $query = array_shift($args);
 $stmt = $pdo->prepare($query);
 $stmt->execute($args);
 return $stmt->fetchAll();
}
$a=$db->fetchAll("SELECT * FROM users WHERE status=? LIMIT ?,?",$status,$start,$num);




  • As long as you're using single-byte encoding or utf-8, no need to use mysql_real_escape_string, so mysql_escape_string(deprecated) or addslashes would be enough


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

plot explanation - Why did Peaches&#39; mom hang on the tree? - Movies &amp; TV

In the middle of the movie Ice Age: Continental Drift Peaches' mom asked Peaches to go to sleep. Then, she hung on the tree. This parti...