Jump to content


Photo

mysql_real_escape_string alternative?


  • Please log in to reply
6 replies to this topic

#1 Lulzim

Lulzim

    Member

  • Members
  • PipPip
  • 295 posts
  • Gender:Male
  • Location:Kosovo
  • Interests:Web Programming

Posted 18 June 2008 - 09:32 PM

Does anybody know any other function that does the same thing as mysql_real_escape_string? I need an alternative just because using mysql_real_escape_string requires an active connection to a database and I hate that. I need to use it before making a connection to db.

I know about addslashes but they obviously do not do the same, otherwise there wouldn't be 2 separate functions.

here is what I found somewhere:
<?php
function mres&#40;$value&#41;
{
	$search = array&#40;&#34;\x00&#34;, &#34;\n&#34;, &#34;\r&#34;, &#34;\\&#34;, &#34;&#39;&#34;, &#34;\&#34;&#34;, &#34;\x1a&#34;&#41;;
	$replace = array&#40;&#34;\\x00&#34;, &#34;\\n&#34;, &#34;\\r&#34;, &#34;\\\\&#34; ,&#34;\&#39;&#34;, &#34;\\\&#34;&#34;, &#34;\\\x1a&#34;&#41;;

	return str_replace&#40;$search, $replace, $value&#41;;
}
?>
do you think this is it?

thanks in advance

#2 justsomeguy

justsomeguy

    More Human Than Human

  • Moderator
  • PipPipPipPipPipPipPip
  • 25,979 posts
  • Gender:Male
  • Location:Phoenix
  • Languages:Focusing on PHP and JavaScript

Posted 18 June 2008 - 09:44 PM

Why don't you just connect to the database first, or escape after you connect? If you haven't connected to the database yet you shouldn't need to escape anything. You would only escape if you're putting values in a query, which would obviously require a connection. I'm not sure what the problem is.
Know your history: Babbage | Lovelace | Turing | Hopper | Ritchie
ConTEXT Sublime Text Opera PHP MySQL phpMyAdmin
Use a debugger: Firefox, IE, Chrome, Safari, or Opera
Know the foundations of computer science: algorithms, machine architectures, data structures, etc. Don't just blindly copy techniques from application to application. Know what you are doing, that it works, and why it works. Don't think you know what the industry will be in five years time or what you'll be doing then, so gather a portfolio of general and useful skills. Try to write better, more principled code. Work to make "programming" more of a professional activity and less of a low-level "hacking" activity (programming is also a craft, but not just a craft). Learn from the classics in the field and the better advanced textbooks; don't be satisfied with the easily digested "how to" guides and online documentation - it's shallow.
-- Bjarne Stroustrup

He that teaches himself has a fool for a master.
-- Benjamin Franklin (paraphrased)

#3 Lulzim

Lulzim

    Member

  • Members
  • PipPip
  • 295 posts
  • Gender:Male
  • Location:Kosovo
  • Interests:Web Programming

Posted 18 June 2008 - 09:51 PM

Let's say in the beginning of some scripts I want to escape everything that is on $_GET and $_POST (or just $_REQUEST will do both) and get over with it, because sometimes I forget to escape them everywhere. Makes sense?

#4 Silver

Silver

    Newbie

  • Members
  • Pip
  • 60 posts
  • Gender:Male
  • Languages:PHP, SQL (MySQL and Oracle), HTML, CSS, Learning Java

Posted 19 June 2008 - 03:00 AM

Let's say in the beginning of some scripts I want to escape everything that is on $_GET and $_POST (or just $_REQUEST will do both) and get over with it, because sometimes I forget to escape them everywhere. Makes sense?


Umm, Okay. But what if you have something that you DON'T want to escape? Then you will have data with a bunch of backslashes. It's better to escape the data WHEN you execute the sql query.

You could try using mres() to escape all your data at the beginning of the script, but there is no guarantee that your data will be safe to use in a sql query. It's best that you use mysql_real_escape_string() to escape your data (and no, there is no mysql_real_escape_string that doesn't require a link identifier).

If you really want to escape all your POST,GET,etc. data at the beginning of your script, you should connect to mysql first and use mysql_real_escape_string() on all the data you wish to escape.

#5 Synook

Synook

    53 79 6E 6F 6F 6B 0D 0A

  • Moderator
  • PipPipPipPipPipPipPip
  • 7,419 posts
  • Gender:Male
  • Location:Australia
  • Interests:Web development, Computer Science, and the pursuit of knowledge in general.
  • Languages:(X)(HT)ML, CSS, PHP, SQL, JavaScript, Java, Python

Posted 19 June 2008 - 06:15 AM

because sometimes I forget to escape them everywhere. Makes sense?

Don't worry, we don't code on the fly (or at least we shouldn't). If you look back over your code after you write it I'm sure you'll be able to spot unescaped queries.

#6 boen_robot

boen_robot

    XSLT senior

  • Moderator
  • PipPipPipPipPipPipPip
  • 8,486 posts
  • Gender:Male
  • Location:europe://Bulgaria/Plovdiv
  • Interests:Everything having to do with computers... and science.
  • Languages:(X)HTML, CSS, XML, XSLT, Schema, PHP, JavaScript (a little), other XML based...

Posted 19 June 2008 - 08:18 AM

If you feel like you'll forget to escape a variable that will be a part of a query, don't escape variables before you assemble the query. Escape them while you assemble the query, i.e.
mysql_query&#40;&#39;SELECT * FROM &#39; . mysql_real_escape_string&#40;$_POST&#91;&#39;table&#39;&#93;, $conn&#41; . &#39; WHERE something= &#39; . mysql_real_escape_string&#40;$_POST&#91;&#39;something&#39;&#93;, $conn&#41;, $conn&#41;;

I always wonder why people have to write stuff like
$table = mysql_real_escape_string&#40;$_POST&#91;&#39;table&#39;&#93;, $conn&#41;;
$something = mysql_real_escape_string&#40;$_POST&#91;&#39;something&#39;&#93;, $conn&#41;;
mysql_query&#40;&#34;SELECT * FROM $table WHERE something= $something&#34; , $conn&#41;;
Readbility? When you have syntax highlighting available, I think the first is far easier to decipher, while at the same time showing that security precautions have been taken.

If you get into the habbit of escaping at the last possible moment, you'll be sure that you've done all escaping, since the moment of "there may be something wrong before I did this" will be gone (and will instead be replaced with "I forgot to do this here").
The greatest difficulty in programming is not in finding answers, but in asking yourself the right questions. -- If nobody has said it before, then I'd like to take credit of thinking this up (during summer of 2010).
"Complex problems often have the simplest solutions" -- Not sure who said that first.
=== My projects (all feedback welcomed) ===
XML_XSLT2Processor(0.5.3) - perform XSLT 2.0 transformations in PHP.
PEAR2_Net_Transmitter(1.0.0a4) - reliable sockets.
PEAR2_Cache_SHM(0.1.2) - persistent data storage wrapper.
=== Useful tools ===
NetBeans - full featured PHP IDE, as well as a decent code editor for other things.
Fiddler2 - The best free HTTP debugger. Performance tuning, security check, integrity check, custom requests and more, all made easy.
Gobby - That's NOT my Nickname! Look at the topic.

#7 justsomeguy

justsomeguy

    More Human Than Human

  • Moderator
  • PipPipPipPipPipPipPip
  • 25,979 posts
  • Gender:Male
  • Location:Phoenix
  • Languages:Focusing on PHP and JavaScript

Posted 21 June 2008 - 11:47 PM

Let's say in the beginning of some scripts I want to escape everything that is on $_GET and $_POST (or just $_REQUEST will do both) and get over with it, because sometimes I forget to escape them everywhere. Makes sense?

That's fine, just connect to the database before you do that. It's often good not to escape everything though, sometimes you want access to the original unaltered data in case you need to write it back to the page (like if an error occurred). You could also use a database class that will escape everything automatically.
Know your history: Babbage | Lovelace | Turing | Hopper | Ritchie
ConTEXT Sublime Text Opera PHP MySQL phpMyAdmin
Use a debugger: Firefox, IE, Chrome, Safari, or Opera
Know the foundations of computer science: algorithms, machine architectures, data structures, etc. Don't just blindly copy techniques from application to application. Know what you are doing, that it works, and why it works. Don't think you know what the industry will be in five years time or what you'll be doing then, so gather a portfolio of general and useful skills. Try to write better, more principled code. Work to make "programming" more of a professional activity and less of a low-level "hacking" activity (programming is also a craft, but not just a craft). Learn from the classics in the field and the better advanced textbooks; don't be satisfied with the easily digested "how to" guides and online documentation - it's shallow.
-- Bjarne Stroustrup

He that teaches himself has a fool for a master.
-- Benjamin Franklin (paraphrased)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users