hey...
regarding ..
>>>>>
$string_data = "Hello I'm a string.";
$sql = "INSERT INTO table (thestring)
VALUES ('$string_data')";
That would be the same as:
INSERT INTO table (thestring) VALUES 'Hello I'm a string'
The engine is going to choke on the apostrophe in I'm. With escaping it
would be ... VALUES 'Hello I\'m a string'.
When you retrieve that data you'll get exactly "Hello I'm a string."
There will be no backslash.
It also prevents SQL injection attacks.
>>>>>>
not sure i agree with this one.. if i put "foo \' cat" in a db tbl...
i expect that i'll get the same out... which is what some of the articles
i've seen have stated.. are you telling me, and are you sure, that i'd get
"foo ' cat" out instead!!????
the articles i've seen imply that if you addslashes, you also need to
stripslashes on the backend...
comments/thoughts/etc...
-bruce
-----Original Message-----
From: Chris W. Parker [mailto:cparker@xxxxxxxxxxxx]
Sent: Thursday, September 22, 2005 3:42 PM
To: php-general@xxxxxxxxxxxxx
Subject: RE: basic user/input form questions... more validation!
bruce <mailto:bedouglas@xxxxxxxxxxxxx>
on Thursday, September 22, 2005 3:33 PM said:
> further investigation seems to imply that 'strings' that are to be
> inserted into the mysql db should be 'backslashed' for the chars >
> \x00, \n, \r, \,'," and \x1a.
That's what escaping is.
> the mysql_real_escape_string function
> requires a db connection and the app might not have opened up a
> connection to the db at this point in the code.. (or i could rewrite
> the code!!)
Unless you have warnings print to the screen you should be fine. Or you
could just suppress the errors on that one function.
> numeric data:
> -doesn't need quoting, but it shouldn't hurt to quote anyway..
> (quote all numeric values inserted in the db...)
> -but wouldn't this require the app to detect numeric vals in
> the db, and to convert the 'type'!!)
No. Why would it? If you quote everything then there's no need to check
for type.
> -how does this affect date/float vars...
I'm not sure. Check the MySQL manual on column types.
> extracting data from the db:
>
> numeric data
> -get the data/val from the db
> -check the type/convert the db to int/float/date/etc...
No type conversion is necessary. PHP is a loose typed language.
> string data
> -get the vals from the db,
> -strip any slashes that were added to the data/vars
> -process/use accordingly...
As I said in my previous email, stripping of slashes is not necessary.
The reason data is escaped before it's put into the database is so that
you don't confuse the engine.
$string_data = "Hello I'm a string.";
$sql = "INSERT INTO table (thestring)
VALUES ('$string_data')";
That would be the same as:
INSERT INTO table (thestring) VALUES 'Hello I'm a string'
The engine is going to choke on the apostrophe in I'm. With escaping it
would be ... VALUES 'Hello I\'m a string'.
When you retrieve that data you'll get exactly "Hello I'm a string."
There will be no backslash.
It also prevents SQL injection attacks.
> have i left anything out..??
I don't know.
hth,
Chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
