Jochem Maas wrote:
Brad Bonkoski wrote:
Jochem Maas wrote:
...
Understood what the esacpe character needs to be...the question is
the best way to get it there?
Currently I have:
magic_quotes_sybase = On
this adds single quotes automatically - addslashes (unless Im mistaken -
wouldnt be the first time) would add slashes (and not single quotes)
which is not what you want.
Only done automatically IFF magic_quotes_gpc is ALSO on, which in my
case it is off.
excerpts from manual....
magic_quotes_sybase *boolean*
<http://www.php.net/manual/en/language.types.boolean.php>
If magic_quotes_sybase is on, a single-quote is escaped with a
single-quote instead of a backslash if magic_quotes_gpc
<http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc> or
magic_quotes_runtime
<http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime> are
enabled.
-and -
An example use of *addslashes()* is when you're entering data into a
database. For example, to insert the name O'reilly into a database, you
will need to escape it. Most databases do this with a \ which would mean
O\'reilly. This would only be to get the data into the database, the
extra \ will not be inserted. Having the PHP directive
magic_quotes_sybase
<http://www.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase>
set to on will mean ' is instead escaped with another '.
so a function call like addslashes() would actually escape single
quotes with another single quote...
Is there a better/more secure wahy?
my preference is to have all magic_quote_<BLA> ini settings set to
off and explicitly escape my data (after validation/cleaning)
according to
the context the data is being use in (e.g. DB insertion as per this
discussion)
if/when trying to write truly portable code you will have to have
routines
that check the actual magic quotes settings and depending on the
actual values/settings
normalize your data accordingly... which can be a right PITA to do
properly :-)
Understood...
The Oracle work I do is in a 'controlled' environment, but portability
should be factored in at some point!
I will test out the ora_bind function to see if that does escaping for
me, but that is a PITA! especially with large queries...
What about your firebird suggestion, does this work well with Oracle
connections and queries?
-Brad
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
