On Tue, 2009-10-20 at 14:58 +0200, Dotan Cohen wrote: > > Yes, the mysql_real_escape_string() function uses the databases character encoding to determine how to encode the > > string, whereas the older deprecated version mysql_escape_string() required no connection as it always assumed > > Latin-1 (as far as I know) > > Is there such a function that always assumes UTF-8? That's what it > always will be. > > > > The data itself only needs to be sanitised just prior to being inserted into the DB anyway, it > > shouldn't be used to validate data in any way, there are functions specifically for that. To me, it just seems that the logic > > of the script is flawed if you require the data to be sanitised before a connection has been made to the DB. > > > > I am not requiring the data to be sanitised before a connection has > been made to the DB. The function that calls > mysql_real_escape_string() is in an include file of commonly-reused > functions. Scripts that connect to databases and scripts that do not > connect to databases include this file. > > To clarify, the include file contains these funtions: > function clean_mysql ($dirty) > function clean_html ($dirty) > function make_paginated_links_menu ($pages, $difference) > function obfuscate_email_address ($address) > > Not all of the functions are used in all scripts, however, this file > of reusable functions is included in all of them. Only the clean_mysql > function gives me trouble because it calls mysql_real_escape_string(). > > -- > Dotan Cohen > > http://what-is-what.com > http://gibberish.co.il > No, and you clearly missed the point about that function being pretty much dead anyway. You mentioned also in your last email that you would make a DB connection if none existed. That should be very easy if you read the page on mysql_real_escape_string() If says: Returns the escaped string, or FALSE on error. So all you have to do, is have warnings turned off (as it generates an E_WARNING if you have no active connection) and then look at the return value of a call to the function: if(mysql_real_escape_string($variable) === false) { // create a default DB connection } Thanks, Ash http://www.ashleysheridan.co.uk
