Jump to content

The big mysql_real_escape_string() drain?

tinker

By tinker
in PHP Coding Help

 Share

Recommended Posts

tinker Member

tinker

Posted
Posted

During my earlier blunderpus, I got a thinking (when reading manual on ), 'does mysql_real_escape_string() connect to the db everytime it's called?'. Let's say i've a form with 20 elements and I check each one with mysql_real_escape_string(), is that actually making 20 separate connections (albeit small ones). So i'm a thinking that I might use something like the following instead:

 

function php_escape($s)
{
/*
	- mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, 
		which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

	- (addslashes) Returns a string with backslashes before characters that need to be quoted in database 
		queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
*/
$s = addslahes($s);
$s = str_replace("\x", "\\x", $s);
return $s;
}

 

Does this fill the correct criteria or not?

Any suggestions, examples, ideas...

Link to comment
Share on other sites
hitman6003 Newbie

hitman6003

Posted
Posted

mysql_real_escape_string uses an existing connection to the database (it will error if there is not one). 

 

As the manual says, it calls the underlying MySQL client library (written in C) to perform the escaping...it doesn't actually connect to the database, it just needs to know that a connection exists so that it can use the client library.

 

The manual also tells you exactly what is escaped:

 

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
Link to comment
Share on other sites
tinker Member

tinker

Posted
  • Author
Posted

so are you saying when it say's:

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string

that 'mysql_real_escape_string' is from the php implementation of mysql, or that it is executed within the remote mysql db but doesn't have to go through the palarva of connecting because the connection is still active.

 

But even so, should that not be true for any request to the db, and therefore this still stresses the network and db?

Link to comment
Share on other sites
hitman6003 Newbie

hitman6003

Posted
Posted

If your php install has the mysql functions available, then it was compiled with the mysql client library.  This means that the mysql client code is available to it.  All of the php mysql functions relate to a function in the mysql client library.

 

What this means is that it's not going to the database to do the escaping...it's just calling the client library.

 

The reason, I think, a connection is required is so that the mysql library knows what encoding to use (some characters may be escaped slightly differently), and possibly so it knows what version of MySQL you are inserting to (although I can't think of a good reason why it would matter).

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.