On Tue, 2009-10-20 at 08:43 -0400, Bob McConnell wrote: > From: Ashley Sheridan > > > On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote: > >> > Your only option might be to do something "smart". You can't use > the > >> > proper mysql functions without a connection to a database, but you > >> > refuse to connect to a database until after you perform > validation... > >> > > >> > You do realise you can have several db connections open at one > time, so > >> > you could have one always open for the purpose of validation? > >> > Potentially wasteful, but the architecture in this idea is a little > >> > different from the norm. > >> > >> I also thought mysql_real_escape_string was dead since every DAL such > >> PDO or others uses bindings to properly escape variables and a > database > >> related sanitize without database is quite useless, imho. > >> > > > > Not everyone uses something like PDO, so yes, sanitising data with > > mysql_real_escape_string does still happen. > > > > The function clearly states that it needs an open connection to work, > so > > that leaves two choices really: 1) open a damn connection! or 2) > > reinvent the wheel and create a function which mimics the behavior of > > this one. > > Is the database connection used to determine the character encoding to > be used before it inserts new characters into the strings? Would that > make a difference in this case? > > Bob McConnell > Yes, the mysql_real_escape_string() function uses the databases character encoding to determine how to encode the string, whereas the older deprecated version mysql_escape_string() required no connection as it always assumed Latin-1 (as far as I know) The data itself only needs to be sanitised just prior to being inserted into the DB anyway, it shouldn't be used to validate data in any way, there are functions specifically for that. To me, it just seems that the logic of the script is flawed if you require the data to be sanitised before a connection has been made to the DB. Thanks, Ash http://www.ashleysheridan.co.uk