Page 1 of 2
Database Input Escaping thing
Posted: Wed Nov 08, 2006 5:08 pm
by daedalus__
I was thinking about how I really hate mysql_real_escape_string because you need a $link to use it. 15 minutes later I had written this.
I am sure there is much more to sanitizing database input and user input for that matter. Suggestions?
Code: Select all
$ValidCharacters[] = 32;
for ($i = 48; $i <= 122; $i++)
{
if ( ($i <= 33 || $i >= 48) && ($i <= 57 || $i >= 65) && ($i <= 90 || $i >= 97) )
{
$ValidCharacters[] = $i;
}
}
public function SanitizeString($string)
{
$CharacterArray = str_split($string);
$CharacterArrayCount = count($CharacterArray);
for ($i = 0; $i < $CharacterArrayCount; $i++)
{
if (!in_array(ord($CharacterArray[$i]), $ValidCharacters))
{
$CharacterArray[$i] = '\\'.$CharacterArray[$i];
}
}
return implode('', $CharacterArray);
}
Posted: Wed Nov 08, 2006 5:13 pm
by Luke
It makes sense to me that you should supply it with a link... that way it knows what to escape... ?? I'm not sure I see the issue.
Posted: Wed Nov 08, 2006 5:31 pm
by daedalus__
I already see this thread going off-topic but, I don't understand why it would need a connection the database server to enable it to know what to escape. Unless you mean which character encoding and all that.
I just wanted a function that you feed a string and get it back with the weird characters escaped. I posted here because I am sure there is more to it.
Posted: Wed Nov 08, 2006 5:42 pm
by Chris Corbyn
Does mysql_escape_string() need a link? Not real escape.
Posted: Wed Nov 08, 2006 5:42 pm
by Luke
Daedalus- wrote:Unless you mean which character encoding and all that.
That's precisely what I mean.
Posted: Wed Nov 08, 2006 5:53 pm
by daedalus__
d11wtq wrote:Does mysql_escape_string() need a link? Not real escape.
Every time I try to use mysql_real_escape_string() it tells me that it couldn't find a link.
Posted: Wed Nov 08, 2006 5:57 pm
by Luke
look what he posted... hint: there is no "real" in the function he posted

Posted: Wed Nov 08, 2006 6:56 pm
by daedalus__
I thought he was saying that mysql_escape_string() needs a link and mysql_real_escape_string() doesn't. I always avoided mysql_escape_string because it is deprecated.
Posted: Wed Nov 08, 2006 6:59 pm
by Luke
It's deprecated because it didn't accept a mysql link resource and therefor couldn't escape according to character set...
PHP Manual wrote:string mysql_escape_string ( string unescaped_string )
This function will escape the unescaped_string, so that it is safe to place it in a mysql_query(). This function is deprecated.
This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.
I don't understand what the issue is though... do you often try to escape data to get it ready for mysql insertion without a mysql link handy? I don't think that's ever happened to me. If I'm escaping data to put it into mysql, I've always got a link handy.
Posted: Wed Nov 08, 2006 7:31 pm
by RobertGonzalez
Maybe he just wants to escape the data, not necessarily for input into the database.
Daed, have you looked at the PHP source to see how it handles the job?
Posted: Thu Nov 09, 2006 1:04 am
by daedalus__
The Ninja Space Goat wrote:I don't understand what the issue is though... do you often try to escape data to get it ready for mysql insertion without a mysql link handy? I don't think that's ever happened to me. If I'm escaping data to put it into mysql, I've always got a link handy.
Everah wrote:Maybe he just wants to escape the data, not necessarily for input into the database.
It's not necessarily for database input. Sometimes I am echo'ing escaped strings and sometimes I want to escape input before my db class is available. I can't think of any instances off the top of my head, though. It happens enough for me to want to write a function.
Everah wrote:Daed, have you looked at the PHP source to see how it handles the job?
EDIT: OH, that's a good idea.
EDIT: I looked and all that I can say is: errrrr?!!!!!!
Posted: Thu Nov 09, 2006 1:30 am
by Luke
Daedalus- wrote:It's not necessarily for database input.
Well, in that case, I've got to wonder... why were you ever using msyql_real_escape_string for that purpose in the first place? It's meant to escape data for mysql input... not for sanitization in general. It's only meant to escape characters that could break the query and possibly make you vulnerable to sql injection.
Posted: Thu Nov 09, 2006 1:31 am
by daedalus__
Laziness.

Posted: Thu Nov 09, 2006 2:57 am
by jmut
Daedalus- wrote:
It's not necessarily for database input. Sometimes I am echo'ing escaped strings and sometimes I want to escape input before my db class is available. I can't think of any instances off the top of my head, though. It happens enough for me to want to write a function.
What you are trying to do kind of makes no sense.
Echoing escaped strings like that will not help you. The db class should do the actuall escaping...so "before my db class is available" kind of make no sense again.
Posted: Thu Nov 09, 2006 1:59 pm
by daedalus__
I posted in Coding Critique because I wanted to improve this function. Perhaps it could be faster, perhaps it could be done with less code, etc. I do not think that I should need to explain my reasons for writing and using such a function in order to get help and I politely ask anyone who is not going to offer ways to improve the code to please refrain from posting in the thread.