Re: mysql_real_escape_string() question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, September 28, 2006 10:06 am, tedd wrote:
> In one of my snip-its, namely:
>
> http://xn--ovg.com/pdf
>
> I was generating a pdf document after the user filled in a form. I
> had been cleaning the user input by using  --
>
> $name = mysql_real_escape_string($name);
>
> -- even though I wasn't using MySQL (the code was a cut-paste from
> some other code I had).

But you *WERE* using MySQL!

> However, everything worked!
>
> But, a couple of days ago it suddenly stopped working. Now, I get the
> following error:
>
> Warning: mysql_real_escape_string(): Access denied for user
> 'nobody'@'localhost' (using password: NO) in ...

One of two things happened.

Some auto-connect script is no longer running, or the 'nobody' user in
MySQL got nuked.

Cuz you used to be connected to MySQL, and it was using MySQL database
information to do the escaping.

> When I comment-out the offending statement, it runs. I replaced the
> statement, but wonder what happened -- when did using
> mysql_real_escape_string() require a password?

mysql_real_escape_string talks back to MySQL to ask it what character
encoding you are using, so it knows how to correctly escape
multi-byte/unicode/funky characters for MySQL usage.

Take out the "_real" bit, and it's doing a "fake" version that ignores
multibyte/unicode/funky characters.

So, short term, just delete '_real' from your function call, and it
will act exactly like before, except with the caveat that any
unicode/multibyte/funky characters may not be escaped the same way as
they were.

> What's up with that? Any ideas as to what happened?

One also has to ask WHY you would use MySQL's escaping for data that's
not going into MySQL.

That's almost certainly "wrong"

Though I confess, I'm sometimes at a loss how to properly escape
certain data for certain situations...

Here's an example:
Take the Subject of an email.

Sure, I've sanitized it to be sure there are no newlines for header
injection.

But now how do I properly escape it to be sure it's a kosher email
subject?

Where's the PHP function smtp_escape()?

I'm just passing it on from one user to another.  I don't want to
munge it, nor make any assumptions about its format.  It's just "data"
to me.

But to SMTP, there are bound to be all kinds of "rules" about it that
I have no desire, much less time, to research, code, and test in as
thorough a fashion as I should to be Professional.

And every developer who sends an email with PHP needs this, right?

So of the myriad PHP functions available, which one is the right one
to escape an email Subject.

I'm *NOT* asking for an answer to this specific question about email
Subjects!

I'm looking for a guide, a chart, a grid, an organized systemic
documentation of what data should be escaped how as it travels through
the "glue" that is PHP...

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux