Jump to content

Recommended Posts

So from what i know, if i don't properly escape my single and double quotes, if someone finds out theu can inserts there own MySQL statements.  Know i am build my own MySQL class and one thing i am going to do is build a InsertArray function so I just take the array in the proper format and let the class handle the escapes of the quotes.  I was just wondering what i sthe best way to escape quotes.  I know the way i have do it in the past is just replace " or ' with /" or /' but i think there might be a better way.  Would it be better to replace " and ' with their ASCII Codes so if would be " = &#34 and ' = &#39?

Link to comment
https://forums.phpfreaks.com/topic/47110-protecting-from-mysql-injection-attacks/
Share on other sites

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

sqlite_escape_string() will correctly quote the string specified by item for use in an SQLite SQL statement. This includes doubling up single-quote characters (') and checking for binary-unsafe characters in the query string.

 

pg_escape_string() escapes a string for insertion into the database. It returns an escaped string in the PostgreSQL format.

 

It seems they all differ a bit.  You can write your own preg_replace function to replace mysql_real_escape_string(), but you might need to write db-specific ones if you generalize your class.

 

A Google search turned up this.  I'm sure you can find the standard SQL escaped chars.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.