RE: Sanitizing potential MySQL strings with no database connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2009-10-20 at 08:43 -0400, Bob McConnell wrote:

> From: Ashley Sheridan
> 
> > On Tue, 2009-10-20 at 14:20 +0200, Andrea Giammarchi wrote:
> >> > Your only option might be to do something "smart". You can't use
> the
> >> > proper mysql functions without a connection to a database, but you
> >> > refuse to connect to a database until after you perform
> validation...
> >> > 
> >> > You do realise you can have several db connections open at one
> time, so
> >> > you could have one always open for the purpose of validation?
> >> > Potentially wasteful, but the architecture in this idea is a little
> >> > different from the norm.
> >> 
> >> I also thought mysql_real_escape_string was dead since every DAL such
> >> PDO or others uses bindings to properly escape variables and a
> database
> >> related sanitize without database is quite useless, imho.
> >> 
> > 
> > Not everyone uses something like PDO, so yes, sanitising data with
> > mysql_real_escape_string does still happen.
> > 
> > The function clearly states that it needs an open connection to work,
> so
> > that leaves two choices really: 1) open a damn connection! or 2)
> > reinvent the wheel and create a function which mimics the behavior of
> > this one.
> 
> Is the database connection used to determine the character encoding to
> be used before it inserts new characters into the strings? Would that
> make a difference in this case?
> 
> Bob McConnell
> 


Yes, the mysql_real_escape_string() function uses the databases
character encoding to determine how to encode the string, whereas the
older deprecated version mysql_escape_string() required no connection as
it always assumed Latin-1 (as far as I know) The data itself only needs
to be sanitised just prior to being inserted into the DB anyway, it
shouldn't be used to validate data in any way, there are functions
specifically for that. To me, it just seems that the logic of the script
is flawed if you require the data to be sanitised before a connection
has been made to the DB.

Thanks,
Ash
http://www.ashleysheridan.co.uk
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux