problems with EscapeShellArg()

[_giles_]

Hi,

 

I’ve run into some problems with EscapeShellArg() – wonder if you can help? I’ve been using it very successfully to place single quotes around inputted text {e.g. EscapeShellArg($answer)} to prevent meliciously keyed data being stored in my database. As said, all has been well, running on my localhost – however things are not so good after uploading it to my domain. I’m now getting MySQL syntax errors trying to write to my databases (e.g.)

 

'users answer'' WHERE session_id = '6tidcs36jq4bm3cceu9nnqbi16' at line 3

 

obviously the noicable fact is the double single quote at the end of the users answer, but I’m foxed as to where this is coming from. I’ve checked the syntax of the $answer parameter feeding the function and it’s fine, so there’s nowhere that can be adding this extra quote.

 

The one clue, after checking versions is that there is a difference between my localhost ( running php4.3.10 MySQL 3.23.49 … ok, ok, I know it’s old) and my IP (php 5.0.4 MySQL 4.1.20), however I’ve checked EscapeShellArg() in the MySQL manual and there appears to be no reported issues in implementation. SO that’s as far as my newbie brain has gotten me. I’d appreciate any thoughts you might have.

 

Thanks

Giles

 

[fenway]

I've never even heard of this function...

[ShogunWarrior]

I've never even heard of this function...

 

escapeshellarg is a function, however it is only supposed to be used if the string is going to be passed as an argument to exec or system not to a database function.

[_giles_]

Interesting! The corsework I've been following uses it to encapsulate keyed text inside single quotes before entering it into a database, the idea being that even malicious keystrokes will be seen as a string therefore not acted upon by the system. Your response makes it appear that this is not standard practise ... begs the question ... what is the standard practise to render malicious keystrokes harmless??