On Tue, 2009-10-20 at 14:58 +0200, Dotan Cohen wrote:
> > Yes, the mysql_real_escape_string() function uses the databases character
> > encoding to determine how to encode the
> > string, whereas the older deprecated version mysql_escape_string() required
> > no connection as it always assumed
> > Latin-1 (as far as I know)
>
> Is there such a function that always assumes UTF-8? That's what it
> always will be.
>
>
> > The data itself only needs to be sanitised just prior to being inserted
> > into the DB anyway, it
> > shouldn't be used to validate data in any way, there are functions
> > specifically for that. To me, it just seems that the logic
> > of the script is flawed if you require the data to be sanitised before a
> > connection has been made to the DB.
> >
>
> I am not requiring the data to be sanitised before a connection has
> been made to the DB. The function that calls
> mysql_real_escape_string() is in an include file of commonly-reused
> functions. Scripts that connect to databases and scripts that do not
> connect to databases include this file.
>
> To clarify, the include file contains these funtions:
> function clean_mysql ($dirty)
> function clean_html ($dirty)
> function make_paginated_links_menu ($pages, $difference)
> function obfuscate_email_address ($address)
>
> Not all of the functions are used in all scripts, however, this file
> of reusable functions is included in all of them. Only the clean_mysql
> function gives me trouble because it calls mysql_real_escape_string().
>
> --
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
>
No, and you clearly missed the point about that function being pretty
much dead anyway.
You mentioned also in your last email that you would make a DB
connection if none existed. That should be very easy if you read the
page on mysql_real_escape_string()
If says:
Returns the escaped string, or FALSE on error.
So all you have to do, is have warnings turned off (as it generates an
E_WARNING if you have no active connection) and then look at the return
value of a call to the function:
if(mysql_real_escape_string($variable) === false)
{
// create a default DB connection
}
Thanks,
Ash
http://www.ashleysheridan.co.uk
