Hello,
without trying to embarrass myself, but....
Here the "smart quoting" function off php.net
|function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not a number or a numeric string
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
From that Idea I implemented that into my MySQL class:
public function smartQuote( $string )
{
if( get_magic_quotes_gpc() == 1 ) {
return stripslashes($string);
}
else {
return mysql_real_escape_string($string);
}
}
I call up in in the following manner:
$result = $mysql->query("SELECT *
FROM [[prefix]]_users
WHERE name =
'".MySQL::smartQuote($_POST['username'])."'
AND password =
'".md5(MySQL::smartQuote($_POST['password']))."'
");
Now, when magic_quotes is off and the user name is say Jingle'sBells -
it works fine, because mysql_real_escape_string() kicks in.
But if magic_quotes is on I get the error that something is invalid in
my SQL syntax near 'sBells' - because of could it would look like name =
'Jingle'sBells'
So I modified a little:
public function smartQuote( $string )
{
if( get_magic_quotes_gpc() == 1 ) {
return mysql_real_escape_string(stripslashes($string));
}
else {
return mysql_real_escape_string($string);
}
}
That now works both with magic_quotes on and off for Inserts / Selects
etc. etc. (of course I have to call on MySQL::smartQuote() for each
value - but it's worth it. Or does my function defeat the point totally?
I did notice that with both magic_quotes On or Off data is inserted
correctly into the table as Jingle's Bells without slashes.
I was wondering if my above function is correct and the website's
documentation is off a little?
Regards,
Johannes
I'm grateful for any help.
|
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
