Re: [PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
Ah, ic. Mh, why wouldn't a function like that function without a db
connection? Does it use the db? Isn't that less efficient? I might just use
str_replace, because i can't think of any way that one could get a sql
injection into
str_replace(', \\\', $value); // might need to replace a literal \ too.
If you can, please enlighten me.
Maybe if they enter something like \c ?? Like one of the mysql special
commands? But if it's inside a string literal??
Thanks a lot, i would have never thought about that.
Will try.
Tim-Hinnerk Heuer
http://www.ihostnz.com
George Burns - I would go out with women my age, but there are no women my
age.
2009/2/21 Ross McKay ro...@zeta.org.au
On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote:
Can anyone here tell me why mysql_real_escape_string(asdasddas) returns
an
empty string?
Have you opened a connection to a MySQL database? It won't work without
an open connection.
--
Ross McKay, Toronto, NSW Australia
Let the laddie play wi the knife - he'll learn
- The Wee Book of Calvin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
On Sat, 2009-02-21 at 22:55 +1300, German Geek wrote:
Ah, ic. Mh, why wouldn't a function like that function without a db
connection? Does it use the db? Isn't that less efficient? I might just use
str_replace, because i can't think of any way that one could get a sql
injection into
str_replace(', \\\', $value); // might need to replace a literal \ too.
If you can, please enlighten me.
Maybe if they enter something like \c ?? Like one of the mysql special
commands? But if it's inside a string literal??
Thanks a lot, i would have never thought about that.
Will try.
Tim-Hinnerk Heuer
http://www.ihostnz.com
George Burns - I would go out with women my age, but there are no women my
age.
2009/2/21 Ross McKay ro...@zeta.org.au
On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote:
Can anyone here tell me why mysql_real_escape_string(asdasddas) returns
an
empty string?
Have you opened a connection to a MySQL database? It won't work without
an open connection.
--
Ross McKay, Toronto, NSW Australia
Let the laddie play wi the knife - he'll learn
- The Wee Book of Calvin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
It doesn't actually use the connection, but it requires one to be open
before you can use it. You said you're using this on a query anyway, so
why not open the connection to mysql?
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
German Geek wrote:
Ah, ic. Mh, why wouldn't a function like that function without a db
connection? Does it use the db? Isn't that less efficient?
It doesn't use the db - at least, it doesn't make a call to the db. It
probably wants a db resource handle so that it can know what character
set it is meant to be handling, which is established as a property on
the connection.
I might just use
str_replace, because i can't think of any way that one could get a sql
injection into
str_replace(', \\\', $value); // might need to replace a literal \ too.
If you can, please enlighten me.
And also: NUL, LF, CR, and ^Z
Or you could just call mysql_real_escape_string and know that you
haven't coded your str_replace with some hole in it :)
--
Ross McKay, Toronto, NSW Australia
The chief cause of problems is solutions -Eric Sevareid
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
Ross McKay wrote: It doesn't use the db - at least, it doesn't make a call to the db. It probably wants a db resource handle so that it can know what character set it is meant to be handling, which is established as a property on the connection. Yep, that's exactly why. If the current character set is unimportant, you can use mysql_escape_string() instead. (yes, I know it's deprecated). -- Per Jessen, Zürich (4.8°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote: Can anyone here tell me why mysql_real_escape_string(asdasddas) returns an empty string? Have you opened a connection to a MySQL database? It won't work without an open connection. -- Ross McKay, Toronto, NSW Australia Let the laddie play wi the knife - he'll learn - The Wee Book of Calvin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
