Liquid Fire Posted March 31, 2008 Share Posted March 31, 2008 I am string to make a general function in my database class to will escape string and prevent injection attacks and I don't want to assume that mysql_real_escape_string will will for postgre, mssql, oracle, etc... and these function will be moved to pecl which i don't want to have to have required to use my framework so I have come up with this function: <?php public function encode_value($value) { $search = array("'", "\\'", '"', '\"'); $replace = array(''', ''', '"', '"'); } ?> Would this be good? Am I missing anything to escape? I am using PDO so does PDO have a function to escape string for queries? NOTE: I want to allow html to be inserted which is why i am not using htmlentities, not allowing html to be inserted should be done at a high level in the code imo. Quote Link to comment https://forums.phpfreaks.com/topic/98850-escaping-strings/ Share on other sites More sharing options...
Psycho Posted March 31, 2008 Share Posted March 31, 2008 Well, if your application uses a different database, don't you have to change ALL the functionality that deals with the database? In other words, wouldn't you also need to change the INSERTs, UPDATEs, and SELECTs as well? I would suggest that you create (or use available) classes for all database operations. Use a different class for each database type you want to use. Then in each one include a function to properly escape the code using the correct function for that database type. So the mysql class will include mysql_real_escape_string(), while the other classes would use different functions. But the method of calling that function will be the same for each class - so your base code does not need to be modified for the database you are using. Quote Link to comment https://forums.phpfreaks.com/topic/98850-escaping-strings/#findComment-505798 Share on other sites More sharing options...
Liquid Fire Posted March 31, 2008 Author Share Posted March 31, 2008 there are at least 5 database type that PDO supports. If i were to make 5 database classes as you suggest 1 for each and then i want to add a function down that down I have have to add it to 5 spots or any changes would be to 5 spot and so on. Now grant you the amount of change I would make to my database class is not going to be much after it is done but the point of PDO it to allow you to connect to an database from one class which is how my database class is structured. at worst case my encode function would be: <?php public function encode($value) { if($this->type === 'mysql') { //mysql specific encoding } else if($this->type === 'mssql') { //mssql spcific encoding } //etc... for each type } ?> This would make the maintainability of my database class a lot easier. I was just wonder if there is a standard set of character that all database don't handle inside the query or if it is different between vendor. Quote Link to comment https://forums.phpfreaks.com/topic/98850-escaping-strings/#findComment-505810 Share on other sites More sharing options...
Psycho Posted March 31, 2008 Share Posted March 31, 2008 One class or five - either will work. Personally I would go with separate classes and select the appropriate class based upon a config value. I just wouldn't be confident that there is a one-size-fits-all solution for each type of database. Quote Link to comment https://forums.phpfreaks.com/topic/98850-escaping-strings/#findComment-505813 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.