6 replies to this topic

[Lulzim]

Does anybody know any other function that does the same thing as mysql_real_escape_string? I need an alternative just because using mysql_real_escape_string requires an active connection to a database and I hate that. I need to use it before making a connection to db.

I know about addslashes but they obviously do not do the same, otherwise there wouldn't be 2 separate functions.

here is what I found somewhere:

<?php
function mres&#40;$value&#41;
{
	$search = array&#40;&#34;\x00&#34;, &#34;\n&#34;, &#34;\r&#34;, &#34;\\&#34;, &#34;&#39;&#34;, &#34;\&#34;&#34;, &#34;\x1a&#34;&#41;;
	$replace = array&#40;&#34;\\x00&#34;, &#34;\\n&#34;, &#34;\\r&#34;, &#34;\\\\&#34; ,&#34;\&#39;&#34;, &#34;\\\&#34;&#34;, &#34;\\\x1a&#34;&#41;;

	return str_replace&#40;$search, $replace, $value&#41;;
}
?>

do you think this is it?

thanks in advance

[justsomeguy]

Why don't you just connect to the database first, or escape after you connect? If you haven't connected to the database yet you shouldn't need to escape anything. You would only escape if you're putting values in a query, which would obviously require a connection. I'm not sure what the problem is.

[Lulzim]

Let's say in the beginning of some scripts I want to escape everything that is on $_GET and $_POST (or just $_REQUEST will do both) and get over with it, because sometimes I forget to escape them everywhere. Makes sense?

[Silver]

Lulzim, on Jun 18 2008, 02:51 PM, said:

Let's say in the beginning of some scripts I want to escape everything that is on $_GET and $_POST (or just $_REQUEST will do both) and get over with it, because sometimes I forget to escape them everywhere. Makes sense?

Umm, Okay. But what if you have something that you DON'T want to escape? Then you will have data with a bunch of backslashes. It's better to escape the data WHEN you execute the sql query.

You could try using mres() to escape all your data at the beginning of the script, but there is no guarantee that your data will be safe to use in a sql query. It's best that you use mysql_real_escape_string() to escape your data (and no, there is no mysql_real_escape_string that doesn't require a link identifier).

If you really want to escape all your POST,GET,etc. data at the beginning of your script, you should connect to mysql first and use mysql_real_escape_string() on all the data you wish to escape.

[Synook]

Quote

because sometimes I forget to escape them everywhere. Makes sense?

Don't worry, we don't code on the fly (or at least we shouldn't). If you look back over your code after you write it I'm sure you'll be able to spot unescaped queries.

[boen_robot]

If you feel like you'll forget to escape a variable that will be a part of a query, don't escape variables before you assemble the query. Escape them while you assemble the query, i.e.

mysql_query('SELECT * FROM ' . mysql_real_escape_string($_POST['table'], $conn) . ' WHERE something= ' . mysql_real_escape_string($_POST['something'], $conn), $conn);

I always wonder why people have to write stuff like

$table = mysql_real_escape_string($_POST['table'], $conn);
$something = mysql_real_escape_string($_POST['something'], $conn);
mysql_query("SELECT * FROM $table WHERE something= $something" , $conn);

Readbility? When you have syntax highlighting available, I think the first is far easier to decipher, while at the same time showing that security precautions have been taken.

If you get into the habbit of escaping at the last possible moment, you'll be sure that you've done all escaping, since the moment of "there may be something wrong before I did this" will be gone (and will instead be replaced with "I forgot to do this here").

[justsomeguy]

Quote

Let's say in the beginning of some scripts I want to escape everything that is on $_GET and $_POST (or just $_REQUEST will do both) and get over with it, because sometimes I forget to escape them everywhere. Makes sense?

That's fine, just connect to the database before you do that. It's often good not to escape everything though, sometimes you want access to the original unaltered data in case you need to write it back to the page (like if an error occurred). You could also use a database class that will escape everything automatically.