Protecting From MySQL Injection Attacks

[Liquid Fire]

So from what i know, if i don't properly escape my single and double quotes, if someone finds out theu can inserts there own MySQL statements.  Know i am build my own MySQL class and one thing i am going to do is build a InsertArray function so I just take the array in the proper format and let the class handle the escapes of the quotes.  I was just wondering what i sthe best way to escape quotes.  I know the way i have do it in the past is just replace " or ' with /" or /' but i think there might be a better way.  Would it be better to replace " and ' with their ASCII Codes so if would be " = &#34 and ' = &#39?

[bubblegum.anarchy]

I am not sure what the best way is but this is what I do:

 

return "'".(get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($value)) : mysql_real_escape_string($value))."'"

[Liquid Fire]

I am looking for a way to do it without using mysql specific function becuase I might plan on trying to convert this class so it does any type of SQL database and want to have to convert as little as possible if i do deside this.

[Wildbug]

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

sqlite_escape_string() will correctly quote the string specified by item for use in an SQLite SQL statement. This includes doubling up single-quote characters (') and checking for binary-unsafe characters in the query string.

 

pg_escape_string() escapes a string for insertion into the database. It returns an escaped string in the PostgreSQL format.

 

It seems they all differ a bit.  You can write your own preg_replace function to replace mysql_real_escape_string(), but you might need to write db-specific ones if you generalize your class.

 

A Google search turned up this.  I'm sure you can find the standard SQL escaped chars.