bruce <mailto:bedouglas@xxxxxxxxxxxxx> on Thursday, September 22, 2005 3:33 PM said: > further investigation seems to imply that 'strings' that are to be > inserted into the mysql db should be 'backslashed' for the chars > > \x00, \n, \r, \,'," and \x1a. That's what escaping is. > the mysql_real_escape_string function > requires a db connection and the app might not have opened up a > connection to the db at this point in the code.. (or i could rewrite > the code!!) Unless you have warnings print to the screen you should be fine. Or you could just suppress the errors on that one function. > numeric data: > -doesn't need quoting, but it shouldn't hurt to quote anyway.. > (quote all numeric values inserted in the db...) > -but wouldn't this require the app to detect numeric vals in > the db, and to convert the 'type'!!) No. Why would it? If you quote everything then there's no need to check for type. > -how does this affect date/float vars... I'm not sure. Check the MySQL manual on column types. > extracting data from the db: > > numeric data > -get the data/val from the db > -check the type/convert the db to int/float/date/etc... No type conversion is necessary. PHP is a loose typed language. > string data > -get the vals from the db, > -strip any slashes that were added to the data/vars > -process/use accordingly... As I said in my previous email, stripping of slashes is not necessary. The reason data is escaped before it's put into the database is so that you don't confuse the engine. $string_data = "Hello I'm a string."; $sql = "INSERT INTO table (thestring) VALUES ('$string_data')"; That would be the same as: INSERT INTO table (thestring) VALUES 'Hello I'm a string' The engine is going to choke on the apostrophe in I'm. With escaping it would be ... VALUES 'Hello I\'m a string'. When you retrieve that data you'll get exactly "Hello I'm a string." There will be no backslash. It also prevents SQL injection attacks. > have i left anything out..?? I don't know. hth, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
