Database Input Escaping thing

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Database Input Escaping thing

Post by daedalus__ »

I was thinking about how I really hate mysql_real_escape_string because you need a $link to use it. 15 minutes later I had written this.

I am sure there is much more to sanitizing database input and user input for that matter. Suggestions?

Code: Select all

$ValidCharacters[] = 32;
for ($i = 48; $i <= 122; $i++)
{
	if ( ($i <= 33 || $i >= 48) && ($i <= 57 || $i >= 65) && ($i <= 90 || $i >= 97) )
	{
		$ValidCharacters[] = $i;
	}
}

public function SanitizeString($string)
{
	$CharacterArray = str_split($string);
	$CharacterArrayCount = count($CharacterArray);
	for ($i = 0; $i < $CharacterArrayCount; $i++)
	{
		if (!in_array(ord($CharacterArray[$i]), $ValidCharacters))
		{
			$CharacterArray[$i] = '\\'.$CharacterArray[$i];
		}
	}
	return implode('', $CharacterArray);
}
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

It makes sense to me that you should supply it with a link... that way it knows what to escape... ?? I'm not sure I see the issue.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

I already see this thread going off-topic but, I don't understand why it would need a connection the database server to enable it to know what to escape. Unless you mean which character encoding and all that.

I just wanted a function that you feed a string and get it back with the weird characters escaped. I posted here because I am sure there is more to it.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Does mysql_escape_string() need a link? Not real escape.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Daedalus- wrote:Unless you mean which character encoding and all that.
That's precisely what I mean.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

d11wtq wrote:Does mysql_escape_string() need a link? Not real escape.
Every time I try to use mysql_real_escape_string() it tells me that it couldn't find a link.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

look what he posted... hint: there is no "real" in the function he posted :wink:
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

I thought he was saying that mysql_escape_string() needs a link and mysql_real_escape_string() doesn't. I always avoided mysql_escape_string because it is deprecated.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

It's deprecated because it didn't accept a mysql link resource and therefor couldn't escape according to character set...
PHP Manual wrote:string mysql_escape_string ( string unescaped_string )

This function will escape the unescaped_string, so that it is safe to place it in a mysql_query(). This function is deprecated.

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.
I don't understand what the issue is though... do you often try to escape data to get it ready for mysql insertion without a mysql link handy? I don't think that's ever happened to me. If I'm escaping data to put it into mysql, I've always got a link handy.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Maybe he just wants to escape the data, not necessarily for input into the database.

Daed, have you looked at the PHP source to see how it handles the job?
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

The Ninja Space Goat wrote:I don't understand what the issue is though... do you often try to escape data to get it ready for mysql insertion without a mysql link handy? I don't think that's ever happened to me. If I'm escaping data to put it into mysql, I've always got a link handy.
Everah wrote:Maybe he just wants to escape the data, not necessarily for input into the database.
It's not necessarily for database input. Sometimes I am echo'ing escaped strings and sometimes I want to escape input before my db class is available. I can't think of any instances off the top of my head, though. It happens enough for me to want to write a function. :)
Everah wrote:Daed, have you looked at the PHP source to see how it handles the job?
EDIT: OH, that's a good idea.

EDIT: I looked and all that I can say is: errrrr?!!!!!!
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Daedalus- wrote:It's not necessarily for database input.
Well, in that case, I've got to wonder... why were you ever using msyql_real_escape_string for that purpose in the first place? It's meant to escape data for mysql input... not for sanitization in general. It's only meant to escape characters that could break the query and possibly make you vulnerable to sql injection.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

Laziness. :)
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

Daedalus- wrote: It's not necessarily for database input. Sometimes I am echo'ing escaped strings and sometimes I want to escape input before my db class is available. I can't think of any instances off the top of my head, though. It happens enough for me to want to write a function. :)
What you are trying to do kind of makes no sense.
Echoing escaped strings like that will not help you. The db class should do the actuall escaping...so "before my db class is available" kind of make no sense again.
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

I posted in Coding Critique because I wanted to improve this function. Perhaps it could be faster, perhaps it could be done with less code, etc. I do not think that I should need to explain my reasons for writing and using such a function in order to get help and I politely ask anyone who is not going to offer ways to improve the code to please refrain from posting in the thread.
Last edited by daedalus__ on Thu Nov 09, 2006 2:13 pm, edited 1 time in total.
Post Reply