Subject Re: [firebird-php] Firebird function equivalent to mysql_escape_string
Author marius adrian popa
On Mon, Feb 28, 2011 at 11:57 AM, u.masotti@...
<u.masotti@...> wrote:
> Hi,
> ----Messaggio originale----Does firebird-php has an equivalent API to
> mysql_escape_string to make data safe before sending it to Firebird?
> From PHP on-line manual, mysql_escape_string() is deprecated from 4.3.0, use
> instead mysql_real_escape_string().
> And, quoting from PHP online manual,
> "mysql_real_escape_string() calls MySQL's library function
> mysql_real_escape_string, which prepends backslashes to the following
> characters: \x00, \n, \r, \, ', " and \x1a.
> This function must always (with few exceptions) be used to make data safe
> before sending a query to MySQL."
> Consider what follows:
> If you have a query in your source, should be already correctly writtern.
> If you compose a query with fields coming from $_REQUEST or from user input,
> you are prone to SQL injection, so don't do it.
> If you use parametrised queries, you don't need to escape.
> There where a note time age about use of runtime configuration
> magic_quotes_sybase but it's stringly deprecated from 5.3.0.
I have seen the adodb function to quote the string that must be send to the db

* Correctly quotes a string so that all strings are escaped.
We prefix and append
* to the string single-quotes.
* An example is $db->qstr("Don't bother",magic_quotes_runtime());
* @param s the string to quote
* @param [magic_quotes] if $s is GET/POST var, set to
* This undoes the stupidity of
magic quotes for GPC.
* @return quoted string to be sent back to database
function qstr($s,$magic_quotes=false)
if (!$magic_quotes) {

if ($this->replaceQuote[0] == '\\'){
// only since php 4.0.5
$s =
//$s = str_replace("\0","\\\0",
return "'".str_replace("'",$this->replaceQuote,$s)."'";

// undo magic quotes for "
$s = str_replace('\\"','"',$s);

if ($this->replaceQuote == "\\'" ||
ini_get('magic_quotes_sybase')) // ' already quoted, no need to
change anything
return "'$s'";
else {// change \' to '' for sybase/mssql
$s = str_replace('\\\\','\\',$s);

I didn't tested it , I only used regexp in my queries to replace the
quotes but it seems to be sane
Another tip is to use prepared statements that is more safe (query
stays unchaged)
and the parameters will be the only changes in the queries (feed them
from post/get)