2009/3/20 Richard Lynch <ceo@xxxxxxxxx>:
> I typically do something like this:
>
> $data_sql = mysql_real_escape_string($data, $connection);
> $query = "insert into data(data) values('$data_sql')";
> $insert = mysql_query($query, $connection);
> if (!$insert){
> trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> My custom error handler logs the mysql error, and displays a nice
> generic "Something went wrong. Please try again or contact us" message
> to the user, wrapped in the page layout, and then exits.
>
> I've just noticed that while the function signature says:
> string mysql_real_escape_string( ...)
>
> The docs say it could return FALSE in case of error.
>
> I'm not real sure what all could cause a FALSE return.
>
> Obviously, if the database server/process/chipmunk has DIED just
> before the call to mysql_real_escape_string, I'll get FALSE back.
>
> If the input string is just too whack for the function to parse, could
> I get FALSE, and then I'd be inserting junk into the DB?
>
> Or is it possible that the function returns FALSE for what is
> obviously a hack attempt?
>
> I guess I'm asking if anybody adds a line like:
>
> if ($data_sql === false){
> trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> Or is that not really going to do anything useful/better than what I
> already have?
According to the C API docs [1] it cannot return an error.
Looking in the extension source [2] it would appear that
incorrect/invalid parameters, lack of MySQL connection and memory
allocation errors are the only reasons why it would fail.
-Stuart
[1] http://dev.mysql.com/doc/refman/5.0/en/mysql-real-escape-string.html
[2] http://cvs.php.net/viewvc.cgi/php-src/ext/mysql/php_mysql.c?revision=1.273&view=markup
(line 1775+)
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
