| Subject | Re: Firebird function equivalent to mysql_escape_string |
|---|---|
| Author | ajay |
| Post date | 2011-03-01T07:27:25Z |
Thanks Mimmo.
Yes, I am converting an application from MySQL to firebird.
-Ajay
Yes, I am converting an application from MySQL to firebird.
-Ajay
--- In firebird-php@yahoogroups.com, "Umberto" <masotti@...> wrote:
>
>
>
>
> Hi Ajay,
>
> --- In firebird-php@yahoogroups.com, "ajay" <bhola125@> wrote:
> > Does firebird-php has an equivalent API to mysql_escape_string to make data safe before sending it to Firebird?
>
> From PHP on-line manual, mysql_escape_string() is deprecated from 4.3.0, use
> instead mysql_real_escape_string().
> And, quoting from PHP online manual,
> "mysql_real_escape_string() calls MySQL's library function
> mysql_real_escape_string, which prepends backslashes to the following
> characters: \x00, \n, \r, \, ', " and \x1a.
> This function must always (with few exceptions) be used to make data safe
> before sending a query to MySQL."
>
> Consider what follows:
> If you have a query in your source, should be already correctly writtern.
> If you compose a query with fields coming from $_REQUEST or from user input,
> you are prone to SQL injection, so don't do it.
> If you use parametrised queries, you don't need to escape.
> There where a note time age about use of runtime configuration
> magic_quotes_sybase but it's stringly deprecated from 5.3.0.
>
> Are you converting an application from MySQL?
>
> Ciao.
> Mimmo.
>