Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.
Popular code excerpts may be moved to "Code Snippets" by the moderators.
I already see this thread going off-topic but, I don't understand why it would need a connection the database server to enable it to know what to escape. Unless you mean which character encoding and all that.
I just wanted a function that you feed a string and get it back with the weird characters escaped. I posted here because I am sure there is more to it.
I thought he was saying that mysql_escape_string() needs a link and mysql_real_escape_string() doesn't. I always avoided mysql_escape_string because it is deprecated.
This function will escape the unescaped_string, so that it is safe to place it in a mysql_query(). This function is deprecated.
This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.
I don't understand what the issue is though... do you often try to escape data to get it ready for mysql insertion without a mysql link handy? I don't think that's ever happened to me. If I'm escaping data to put it into mysql, I've always got a link handy.
The Ninja Space Goat wrote:I don't understand what the issue is though... do you often try to escape data to get it ready for mysql insertion without a mysql link handy? I don't think that's ever happened to me. If I'm escaping data to put it into mysql, I've always got a link handy.
Everah wrote:Maybe he just wants to escape the data, not necessarily for input into the database.
It's not necessarily for database input. Sometimes I am echo'ing escaped strings and sometimes I want to escape input before my db class is available. I can't think of any instances off the top of my head, though. It happens enough for me to want to write a function.
Everah wrote:Daed, have you looked at the PHP source to see how it handles the job?
EDIT: OH, that's a good idea.
EDIT: I looked and all that I can say is: errrrr?!!!!!!
Daedalus- wrote:It's not necessarily for database input.
Well, in that case, I've got to wonder... why were you ever using msyql_real_escape_string for that purpose in the first place? It's meant to escape data for mysql input... not for sanitization in general. It's only meant to escape characters that could break the query and possibly make you vulnerable to sql injection.
Daedalus- wrote:
It's not necessarily for database input. Sometimes I am echo'ing escaped strings and sometimes I want to escape input before my db class is available. I can't think of any instances off the top of my head, though. It happens enough for me to want to write a function.
What you are trying to do kind of makes no sense.
Echoing escaped strings like that will not help you. The db class should do the actuall escaping...so "before my db class is available" kind of make no sense again.
I posted in Coding Critique because I wanted to improve this function. Perhaps it could be faster, perhaps it could be done with less code, etc. I do not think that I should need to explain my reasons for writing and using such a function in order to get help and I politely ask anyone who is not going to offer ways to improve the code to please refrain from posting in the thread.
Last edited by daedalus__ on Thu Nov 09, 2006 2:13 pm, edited 1 time in total.