Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Aug 2006
    Location
    Sweden
    Posts
    73
    Thanks
    0
    Thanked 0 Times in 0 Posts

    mysql_real_escape_string()

    Is it safe to use the php-function mysql_real_escape_string() on all data I put in a mysql db, nomatter what datatype it is?

    Or should it just be used on varchar, char and text columns?

    Since I have generic getter- and settermethods it whould be easy to escape and unescape everything whitout checking the datatype first...

  • #2
    New to the CF scene
    Join Date
    Feb 2007
    Location
    Utah
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Yes, Yes, Yes!

    Escaping data is not just about avoiding single or double quotes that might break you statement or corrupt your table data. It is also about avoiding SQL injection:

    $public_posted_data = "'; SHOW TABLES;"
    $sql = "SELECT * FROM tbl WHERE key='$public_posted_data'"

    So, if you are just avoiding corrupt data in your db, don't use escaping on every datatype. Then again, if you don't want somebody to screw with your data and hack you site, USE it.

    I'd also suggest using a database abstractor like Pear:B as well that has prepared statements.

  • #3
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts
    Or you can do what I've been doing lately and use the "ctype_" functions in PHP to validate that the data is of a certain kind (alphanumeric, digits, etc.). For strings that shouldn't have anything other than letters and numbers (no ' or " or anything else), I do an if statement like this:

    PHP Code:
    if (!ctype_alnum($variable)) {
       
    //hold the presses! don't insert into mysql because this string is not just letters and numbers!

    I actually built these into functions, which check user data for empty(), strlen() is too long or short, and for the correct ctype_. Pretty cool.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •