Re: [PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
Ah, ic. Mh, why wouldn't a function like that function without a db connection? Does it use the db? Isn't that less efficient? I might just use str_replace, because i can't think of any way that one could get a sql injection into str_replace(', \\\', $value); // might need to replace a literal \ too. If you can, please enlighten me. Maybe if they enter something like \c ?? Like one of the mysql special commands? But if it's inside a string literal?? Thanks a lot, i would have never thought about that. Will try. Tim-Hinnerk Heuer http://www.ihostnz.com George Burns - I would go out with women my age, but there are no women my age. 2009/2/21 Ross McKay ro...@zeta.org.au On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote: Can anyone here tell me why mysql_real_escape_string(asdasddas) returns an empty string? Have you opened a connection to a MySQL database? It won't work without an open connection. -- Ross McKay, Toronto, NSW Australia Let the laddie play wi the knife - he'll learn - The Wee Book of Calvin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
On Sat, 2009-02-21 at 22:55 +1300, German Geek wrote: Ah, ic. Mh, why wouldn't a function like that function without a db connection? Does it use the db? Isn't that less efficient? I might just use str_replace, because i can't think of any way that one could get a sql injection into str_replace(', \\\', $value); // might need to replace a literal \ too. If you can, please enlighten me. Maybe if they enter something like \c ?? Like one of the mysql special commands? But if it's inside a string literal?? Thanks a lot, i would have never thought about that. Will try. Tim-Hinnerk Heuer http://www.ihostnz.com George Burns - I would go out with women my age, but there are no women my age. 2009/2/21 Ross McKay ro...@zeta.org.au On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote: Can anyone here tell me why mysql_real_escape_string(asdasddas) returns an empty string? Have you opened a connection to a MySQL database? It won't work without an open connection. -- Ross McKay, Toronto, NSW Australia Let the laddie play wi the knife - he'll learn - The Wee Book of Calvin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php It doesn't actually use the connection, but it requires one to be open before you can use it. You said you're using this on a query anyway, so why not open the connection to mysql? Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
German Geek wrote: Ah, ic. Mh, why wouldn't a function like that function without a db connection? Does it use the db? Isn't that less efficient? It doesn't use the db - at least, it doesn't make a call to the db. It probably wants a db resource handle so that it can know what character set it is meant to be handling, which is established as a property on the connection. I might just use str_replace, because i can't think of any way that one could get a sql injection into str_replace(', \\\', $value); // might need to replace a literal \ too. If you can, please enlighten me. And also: NUL, LF, CR, and ^Z Or you could just call mysql_real_escape_string and know that you haven't coded your str_replace with some hole in it :) -- Ross McKay, Toronto, NSW Australia The chief cause of problems is solutions -Eric Sevareid -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
Ross McKay wrote: It doesn't use the db - at least, it doesn't make a call to the db. It probably wants a db resource handle so that it can know what character set it is meant to be handling, which is established as a property on the connection. Yep, that's exactly why. If the current character set is unimportant, you can use mysql_escape_string() instead. (yes, I know it's deprecated). -- Per Jessen, Zürich (4.8°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: mysql_real_escape_string(asdasddas) ??? wtf
On Sat, 21 Feb 2009 19:19:44 +1300, t...@ihostnz.com wrote: Can anyone here tell me why mysql_real_escape_string(asdasddas) returns an empty string? Have you opened a connection to a MySQL database? It won't work without an open connection. -- Ross McKay, Toronto, NSW Australia Let the laddie play wi the knife - he'll learn - The Wee Book of Calvin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php