> I typically do something like this:
>
> $data_sql = mysql_real_escape_string($data, $connection);
> $query = "insert into data(data) values('$data_sql')";
> $insert = mysql_query($query, $connection);
> if (!$insert){
> trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> My custom error handler logs the mysql error, and displays a nice
> generic "Something went wrong. Please try again or contact us" message
> to the user, wrapped in the page layout, and then exits.
>
> I've just noticed that while the function signature says:
> string mysql_real_escape_string( ...)
>
> The docs say it could return FALSE in case of error.
>
> I'm not real sure what all could cause a FALSE return.
>
> Obviously, if the database server/process/chipmunk has DIED just
> before the call to mysql_real_escape_string, I'll get FALSE back.
>
> If the input string is just too whack for the function to parse, could
> I get FALSE, and then I'd be inserting junk into the DB?
>
> Or is it possible that the function returns FALSE for what is
> obviously a hack attempt?
>
> I guess I'm asking if anybody adds a line like:
>
> if ($data_sql === false){
> trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> Or is that not really going to do anything useful/better than what I
> already have?
yes you could add that condition and it would be helpful if you also
include the value of $data in addtion to mysql_error so you can
examine and figure out what cause it to return FALSE.
also, php manual says this:
mysql_query() will also fail and return FALSE if the user does not
have permission to access the table(s) referenced by the query.
Virgil
http://www.jampmark.com
Free tips, tutorials, innovative tools and techniques useful for
building and improving web sites.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
