| Subject | Re: [firebird-php] Firebird function equivalent to mysql_escape_string |
|---|---|
| Author | marius adrian popa |
| Post date | 2011-03-01T09:31:12Z |
On Mon, Feb 28, 2011 at 11:57 AM, u.masotti@...
<u.masotti@...> wrote:
http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/
/**
* Correctly quotes a string so that all strings are escaped.
We prefix and append
* to the string single-quotes.
* An example is $db->qstr("Don't bother",magic_quotes_runtime());
*
* @param s the string to quote
* @param [magic_quotes] if $s is GET/POST var, set to
get_magic_quotes_gpc().
* This undoes the stupidity of
magic quotes for GPC.
*
* @return quoted string to be sent back to database
*/
function qstr($s,$magic_quotes=false)
{
if (!$magic_quotes) {
if ($this->replaceQuote[0] == '\\'){
// only since php 4.0.5
$s =
adodb_str_replace(array('\\',"\0"),array('\\\\',"\\\0"),$s);
//$s = str_replace("\0","\\\0",
str_replace('\\','\\\\',$s));
}
return "'".str_replace("'",$this->replaceQuote,$s)."'";
}
// undo magic quotes for "
$s = str_replace('\\"','"',$s);
if ($this->replaceQuote == "\\'" ||
ini_get('magic_quotes_sybase')) // ' already quoted, no need to
change anything
return "'$s'";
else {// change \' to '' for sybase/mssql
$s = str_replace('\\\\','\\',$s);
return
"'".str_replace("\\'",$this->replaceQuote,$s)."'";
}
}
I didn't tested it , I only used regexp in my queries to replace the
quotes but it seems to be sane
Another tip is to use prepared statements that is more safe (query
stays unchaged)
http://www.php.net/manual/en/function.ibase-execute.php
and the parameters will be the only changes in the queries (feed them
from post/get)
<u.masotti@...> wrote:
> Hi,I have seen the adodb function to quote the string that must be send to the db
>
> ----Messaggio originale----Does firebird-php has an equivalent API to
> mysql_escape_string to make data safe before sending it to Firebird?
>
> From PHP on-line manual, mysql_escape_string() is deprecated from 4.3.0, use
> instead mysql_real_escape_string().
> And, quoting from PHP online manual,
> "mysql_real_escape_string() calls MySQL's library function
> mysql_real_escape_string, which prepends backslashes to the following
> characters: \x00, \n, \r, \, ', " and \x1a.
> This function must always (with few exceptions) be used to make data safe
> before sending a query to MySQL."
>
> Consider what follows:
> If you have a query in your source, should be already correctly writtern.
> If you compose a query with fields coming from $_REQUEST or from user input,
> you are prone to SQL injection, so don't do it.
> If you use parametrised queries, you don't need to escape.
> There where a note time age about use of runtime configuration
> magic_quotes_sybase but it's stringly deprecated from 5.3.0.
http://sourceforge.net/projects/adodb/files/adodb-php5-only/adodb-511-for-php5/
/**
* Correctly quotes a string so that all strings are escaped.
We prefix and append
* to the string single-quotes.
* An example is $db->qstr("Don't bother",magic_quotes_runtime());
*
* @param s the string to quote
* @param [magic_quotes] if $s is GET/POST var, set to
get_magic_quotes_gpc().
* This undoes the stupidity of
magic quotes for GPC.
*
* @return quoted string to be sent back to database
*/
function qstr($s,$magic_quotes=false)
{
if (!$magic_quotes) {
if ($this->replaceQuote[0] == '\\'){
// only since php 4.0.5
$s =
adodb_str_replace(array('\\',"\0"),array('\\\\',"\\\0"),$s);
//$s = str_replace("\0","\\\0",
str_replace('\\','\\\\',$s));
}
return "'".str_replace("'",$this->replaceQuote,$s)."'";
}
// undo magic quotes for "
$s = str_replace('\\"','"',$s);
if ($this->replaceQuote == "\\'" ||
ini_get('magic_quotes_sybase')) // ' already quoted, no need to
change anything
return "'$s'";
else {// change \' to '' for sybase/mssql
$s = str_replace('\\\\','\\',$s);
return
"'".str_replace("\\'",$this->replaceQuote,$s)."'";
}
}
I didn't tested it , I only used regexp in my queries to replace the
quotes but it seems to be sane
Another tip is to use prepared statements that is more safe (query
stays unchaged)
http://www.php.net/manual/en/function.ibase-execute.php
and the parameters will be the only changes in the queries (feed them
from post/get)