On Tue, 2009-10-20 at 12:58 +0200, Dotan Cohen wrote: > > Dotan, > > > > You are making this thing harder then it has to be. > > > > All you need is to replicate the escaping of the same characters that > > mysql_real_escape_string() escapes. Simply do that. They are listed on the > > functions manual page on php.net > > > > http://php.net/mysql_real_escape_string > > > > Here is a function that I mocked up really quick. > > > > I have no idea if it will work, but it is a start down the right road to solve > > your problem(s)... > > > > <?php > > > > function clean_string($input) { > > > > /** > > * Character to escape... > > * \x0 \n \r \ ' " \x1a > > **/ > > > > $patterns = array( "\x0", "\n", "\r", "\\", "'", "\"", "\x1a"); > > $replace = array( '\\\x0', '\n', '\r', '\\\\', '\\\'', '\\"', '\\\x1a'); > > return str_replace($patterns, $replace, $input); > > } > > > > ?> > > > > I think that I would rather trust the built-in functions. I don't need > to do anything "smart" and get attacked. Anybody else have an opinion > on this? > > > -- > Dotan Cohen > > http://what-is-what.com > http://gibberish.co.il > Your only option might be to do something "smart". You can't use the proper mysql functions without a connection to a database, but you refuse to connect to a database until after you perform validation... You do realise you can have several db connections open at one time, so you could have one always open for the purpose of validation? Potentially wasteful, but the architecture in this idea is a little different from the norm. Thanks, Ash http://www.ashleysheridan.co.uk
