Liquid Fire Posted April 15, 2007 Share Posted April 15, 2007 So from what i know, if i don't properly escape my single and double quotes, if someone finds out theu can inserts there own MySQL statements. Know i am build my own MySQL class and one thing i am going to do is build a InsertArray function so I just take the array in the proper format and let the class handle the escapes of the quotes. I was just wondering what i sthe best way to escape quotes. I know the way i have do it in the past is just replace " or ' with /" or /' but i think there might be a better way. Would it be better to replace " and ' with their ASCII Codes so if would be " = " and ' = '? Quote Link to comment https://forums.phpfreaks.com/topic/47110-protecting-from-mysql-injection-attacks/ Share on other sites More sharing options...
bubblegum.anarchy Posted April 15, 2007 Share Posted April 15, 2007 I am not sure what the best way is but this is what I do: return "'".(get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($value)) : mysql_real_escape_string($value))."'" Quote Link to comment https://forums.phpfreaks.com/topic/47110-protecting-from-mysql-injection-attacks/#findComment-229948 Share on other sites More sharing options...
Liquid Fire Posted April 16, 2007 Author Share Posted April 16, 2007 I am looking for a way to do it without using mysql specific function becuase I might plan on trying to convert this class so it does any type of SQL database and want to have to convert as little as possible if i do deside this. Quote Link to comment https://forums.phpfreaks.com/topic/47110-protecting-from-mysql-injection-attacks/#findComment-230544 Share on other sites More sharing options...
Wildbug Posted April 16, 2007 Share Posted April 16, 2007 mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. sqlite_escape_string() will correctly quote the string specified by item for use in an SQLite SQL statement. This includes doubling up single-quote characters (') and checking for binary-unsafe characters in the query string. pg_escape_string() escapes a string for insertion into the database. It returns an escaped string in the PostgreSQL format. It seems they all differ a bit. You can write your own preg_replace function to replace mysql_real_escape_string(), but you might need to write db-specific ones if you generalize your class. A Google search turned up this. I'm sure you can find the standard SQL escaped chars. Quote Link to comment https://forums.phpfreaks.com/topic/47110-protecting-from-mysql-injection-attacks/#findComment-230570 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.