Dotan Cohen wrote:
>> If you look a little closer, you will see that I am not using addslashes().
>> Rather, I am using addcslashes(). This allows to specify the characters
>> that I want escaped, instead of the default assumed characters from
>> addslashes().
>>
>
> I do not know which characte
> Thinking a little deeper here, you say you are concerned about the character
> type, yet you say that it is all assumed UTF-8. Is everything going to be
> UTF-8
> or something else?
>
> If it is all going to be UTF-8, then the addcslashes() variation above will
> work.
>
It _should_ all be UT
> If you look a little closer, you will see that I am not using addslashes().
> Rather, I am using addcslashes(). This allows to specify the characters
> that I want escaped, instead of the default assumed characters from
> addslashes().
>
I do not know which characters to escape.
--
Dotan Coh
Jim Lucas wrote:
> Dotan Cohen wrote:
>>> So, actually taking a minute to read up on addcslashes(), it is a
>>> rather handy
>>> little function.
>>>
>>> Taking the list of characters that mysql_real_escape_string() says it
>>> escapes:
>>>
>>> http://us3.php.net/mysql_real_escape_string
>>>
>>> Wh
Dotan Cohen wrote:
So, actually taking a minute to read up on addcslashes(), it is a rather handy
little function.
Taking the list of characters that mysql_real_escape_string() says it escapes:
http://us3.php.net/mysql_real_escape_string
Which it lists: \x00, \n, \r, \, ', " and \x1a
\0 = \x
bject: Re: [PHP] Sanitizing potential MySQL strings with no database
> connection
>
> > if(@mysql_real_escape_string($variable) === false)
> >
>
> Perfect! The @ symbol suppresses the error and I can structure the
> code according to whether or not there is a connecti
Dotan Cohen wrote:
So far as I understand mysql_real_escape_string() was invented because
addslashes() is not adequate.
Correct, addslashes() works fine for latin1 (single byte encoding) but
does not work properly when used with a multibyte encoded string.
That is most likely the reason why my
> So, actually taking a minute to read up on addcslashes(), it is a rather handy
> little function.
>
> Taking the list of characters that mysql_real_escape_string() says it escapes:
>
> http://us3.php.net/mysql_real_escape_string
>
> Which it lists: \x00, \n, \r, \, ', " and \x1a
>
> \0 = \x0
> \
- Original Message -
From: "Ashley Sheridan"
To: "Dotan Cohen"
Cc: "Jim Lucas" ; "php-general."
Sent: Tuesday, October 20, 2009 4:02 AM
Subject: Re: [PHP] Sanitizing potential MySQL strings with no database
connection
On Tue, 2009
Jim Lucas wrote:
> Dotan Cohen wrote:
>> 2009/10/19 Kim Madsen :
>>> Dotan Cohen wrote on 2009-10-18 21:21:
>>>
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net
On Tue, 20 Oct 2009 20:04:51 +0200, Nisse Engström wrote:
> On Mon, 19 Oct 2009 15:39:40 -0700, Jim Lucas wrote:
>
>> /**
>>* Character to escape...
>>* \x0 \n \r \ ' " \x1a
>> **/
>>
>> $patterns = array( "\x0", "\n", "\r", "\\", "'","\"", "
> if(@mysql_real_escape_string($variable) === false)
>
Perfect! The @ symbol suppresses the error and I can structure the
code according to whether or not there is a connection.
Thank you!
--
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
--
PHP General Mailing List (http://www.p
Dotan Cohen wrote:
> 2009/10/20 Andrea Giammarchi :
>> even better
>>
>> $error_reporting = error_reporting(0);
>> if(mysql_real_escape_string($variable) === false)
>> {
>> error_reporting($error_reporting);
>>
>> // create a default DB connection
>>
>> } else
>> error_reporting($error_
> If you're sure that all your data is UTF-8, and that
> all user-supplied data is *actually valid* UTF-8 (and
> not deliberately or accidentally malformed), then
> mysql_escape_string() should be just fine [1].
>
I cannot ensure that the users will not be malicious, even if it is
all internal u
Dotan Cohen wrote on 2009-10-20 20:06:
if(mysql_real_escape_string($variable) === false)
{
// create a default DB connection
}
Here, the key seems to be to turn the warning level down, which I do
not have privileges to do on this server. But it fact this seems to be
the key that I was mis
2009/10/20 Andrea Giammarchi :
> even better
>
> $error_reporting = error_reporting(0);
> if(mysql_real_escape_string($variable) === false)
> {
> error_reporting($error_reporting);
>
> // create a default DB connection
>
> } else
> error_reporting($error_reporting);
> unset($error_repor
> No, and you clearly missed the point about that function being pretty much
> dead anyway.
>
I understand that mysql_escape_string() is depreciated. Asking about
other similar functions does not seem out of line.
> You mentioned also in your last email that you would make a DB connection if
>
On Mon, 19 Oct 2009 15:39:40 -0700, Jim Lucas wrote:
> I have no idea if it will work, [...]
Well, you're right so far...
>
> function clean_string($input) {
>
> /**
>* Character to escape...
>* \x0 \n \r \ ' " \x1a
> **/
>
> $patterns = array(
On Tue, 20 Oct 2009 14:58:32 +0200, Dotan Cohen wrote:
>> Yes, the mysql_real_escape_string() function uses the databases
>> character encoding to determine how to encode the string, whereas the
>> older deprecated version mysql_escape_string() required no connection
>> as it always assumed Latin-
To: a...@ashleysheridan.co.uk; dotanco...@gmail.com
> CC: php-general@lists.php.net
> Date: Tue, 20 Oct 2009 15:50:52 +0200
> Subject: RE: [PHP] Sanitizing potential MySQL strings with no database
> connection
>
>
> > If says:
> >
> > Returns the escaped string, o
> If says:
>
> Returns the escaped string, or FALSE on error.
>
> So all you have to do, is have warnings turned off (as it generates an
> E_WARNING if you have no active connection) and then look at the return
> value of a call to the function:
>
> if(mysql_real_escape_string($variable) === fa
On Tue, 2009-10-20 at 14:58 +0200, Dotan Cohen wrote:
> > Yes, the mysql_real_escape_string() function uses the databases character
> > encoding to determine how to encode the
> > string, whereas the older deprecated version mysql_escape_string() required
> > no connection as it always assumed
>
> Yes, the mysql_real_escape_string() function uses the databases character
> encoding to determine how to encode the
> string, whereas the older deprecated version mysql_escape_string() required
> no connection as it always assumed
> Latin-1 (as far as I know)
Is there such a function that alwa
> Your only option might be to do something "smart". You can't use the proper
> mysql functions without a connection to a
> database, but you refuse to connect to a database until after you perform
> validation...
>
More accurate to say that the file in which the function is stored
does not know
On Tue, 2009-10-20 at 08:43 -0400, Bob McConnell wrote:
> From: Ashley Sheridan
>
> > On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
> >> > Your only option might be to do something "smart". You can't use
> the
> >> > proper mysql functions without a connection to a database, but you
From: Ashley Sheridan
> On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
>> > Your only option might be to do something "smart". You can't use
the
>> > proper mysql functions without a connection to a database, but you
>> > refuse to connect to a database until after you perform
validat
On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
>
> > Your only option might be to do something "smart". You can't use the
> > proper mysql functions without a connection to a database, but you
> > refuse to connect to a database until after you perform validation...
> >
> > You do r
> Your only option might be to do something "smart". You can't use the
> proper mysql functions without a connection to a database, but you
> refuse to connect to a database until after you perform validation...
>
> You do realise you can have several db connections open at one time, so
> you co
> Dotan,
>
> You are making this thing harder then it has to be.
>
> All you need is to replicate the escaping of the same characters that
> mysql_real_escape_string() escapes. Simply do that. They are listed on the
> functions manual page on php.net
>
> http://php.net/mysql_real_escape_string
>
On Tue, 2009-10-20 at 12:58 +0200, Dotan Cohen wrote:
> > Dotan,
> >
> > You are making this thing harder then it has to be.
> >
> > All you need is to replicate the escaping of the same characters that
> > mysql_real_escape_string() escapes. Simply do that. They are listed on the
> > functions
Dotan Cohen wrote:
> 2009/10/19 Kim Madsen :
>> Dotan Cohen wrote on 2009-10-18 21:21:
>>
>>> I thought that one could not test if a database connection is
>>> established or not, this is the most relevant thing that I found while
>>> googling that:
>>> http://bugs.php.net/bug.php?id=29645
>> from
2009/10/19 Kim Madsen :
> Dotan Cohen wrote on 2009-10-18 21:21:
>
>> I thought that one could not test if a database connection is
>> established or not, this is the most relevant thing that I found while
>> googling that:
>> http://bugs.php.net/bug.php?id=29645
>
> from http://www.php.net/manual/
Dotan Cohen wrote on 2009-10-18 21:21:
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
from http://www.php.net/manual/en/function.mysql-connect.php
$link =
> test if you have a db connection in the function, if not, skip MRES and
> other mysql_ functions?
>
I thought that one could not test if a database connection is
established or not, this is the most relevant thing that I found while
googling that:
http://bugs.php.net/bug.php?id=29645
> In my op
Dotan Cohen wrote on 2009-10-18 10:52:
I assumed the reason you wanted to do escape the string so that you could
perform DB operations.
Yes, that is my intention. However, the function is found in an
include file of functions used in many different scripts, each of
which connect to a different
> I assumed the reason you wanted to do escape the string so that you could
> perform DB operations.
Yes, that is my intention. However, the function is found in an
include file of functions used in many different scripts, each of
which connect to a different database or may not connect to a data
Dotan Cohen wrote:
How can I configure mysql_real_escape_string() to _not_ need a
database connection in order to do it's work on a string. I understand
that the function wants a database connection to determine which
charset / encoding is in use, but in my case it will always be UTF-8.
I have a
- Original Message
> From: Dotan Cohen
> To: Tommy Pham
> Cc: php-general.
> Sent: Sat, October 17, 2009 10:59:52 AM
> Subject: Re: [PHP] Sanitizing potential MySQL strings with no database
> connection
>
> > I don't think so since the mysql
> I don't think so since the mysql_real_escape_string() requires a connection
> handler. Why not use bind param?
>
Thanks. I just googled bind param but I am still a bit unclear as to
what is going on.
To be clear, I have a file of functions that I use in many scripts,
lets call it functions.in
- Original Message
> From: Dotan Cohen
> To: php-general.
> Sent: Fri, October 16, 2009 7:13:41 PM
> Subject: [PHP] Sanitizing potential MySQL strings with no database connection
>
> How can I configure mysql_real_escape_string() to _not_ need a
> database connection in order to do it's
40 matches
Mail list logo
