Escaping for PHP and MySQL

I just found out that an app I wrote doesn't allow the user to input
apostrophes into the textarea. If they do, the insert/update fails.

I'm sure this issue has been done to death - but it's the first time
it's come up for me.

What I'm doing is something like this:

function UpdateRecord($iID, $sContent) {
$sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
$bSuccess = RunSQL($sSQL);
return $bSuccess;
}

Is there a simple escape command, or am I going to have to get all into
writing some complex handler for apostrophes and whatnot.

Note: In this example, I'm *totally* ignoring the threat from SQL
injection. I just don't want apostrophes to crash the update/create.

Re: Escaping for PHP and MySQL

Sanders Kaufman wrote:
> I just found out that an app I wrote doesn't allow the user to input
> apostrophes into the textarea. If they do, the insert/update fails.
>
> I'm sure this issue has been done to death - but it's the first time
> it's come up for me.
>
> What I'm doing is something like this:
>
> function UpdateRecord($iID, $sContent) {
> $sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
> $bSuccess = RunSQL($sSQL);
> return $bSuccess;
> }
>
> Is there a simple escape command, or am I going to have to get all into
> writing some complex handler for apostrophes and whatnot.
>

Yes.

> Note: In this example, I'm *totally* ignoring the threat from SQL
> injection. I just don't want apostrophes to crash the update/create.
>
>
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Escaping for PHP and MySQL

On Aug 9, 6:42 am, Sanders Kaufman wrote:
> I just found out that an app I wrote doesn't allow the user to input
> apostrophes into the textarea. If they do, the insert/update fails.
>
> I'm sure this issue has been done to death - but it's the first time
> it's come up for me.
>
> What I'm doing is something like this:
>
> function UpdateRecord($iID, $sContent) {
> $sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
> $bSuccess = RunSQL($sSQL);
> return $bSuccess;
>
> }
>
> Is there a simple escape command, or am I going to have to get all into
> writing some complex handler for apostrophes and whatnot.

Yes. But you haven't said which database you're using. If you're
using MySQL you want mysql_real_escape_string().

>
> Note: In this example, I'm *totally* ignoring the threat from SQL
> injection. I just don't want apostrophes to crash the update/create.

Using mysql_real_escape_string() will protect you from that, too.

Re: Escaping for PHP and MySQL

Please use addslashes php function to the string and then try

Re: Escaping for PHP and MySQL

On 09.08.2007 12:42 Sanders Kaufman wrote:
> I just found out that an app I wrote doesn't allow the user to input
> apostrophes into the textarea. If they do, the insert/update fails.
>
> I'm sure this issue has been done to death - but it's the first time
> it's come up for me.
>
> What I'm doing is something like this:
>
> function UpdateRecord($iID, $sContent) {

$sContent = addslashes($sContent);

> $sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
> $bSuccess = RunSQL($sSQL);
> return $bSuccess;
> }
>
> Is there a simple escape command

Yes, see above

>, or am I going to have to get all into
> writing some complex handler for apostrophes and whatnot.

For the real-world applications you have to use a complex handler, but
there's no need to write it, just use an existing library like PDO,
mysqli etc.

>
> Note: In this example, I'm *totally* ignoring the threat from SQL
> injection. I just don't want apostrophes to crash the update/create.
>



--
gosha bine

makrell ~ http://www.tagarga.com/blok/makrell
php done right ;) http://code.google.com/p/pihipi

Re: Escaping for PHP and MySQL

allampraveen@gmail.com wrote:
> Please use addslashes php function to the string and then try
>

addslashes() is not the correct function to use.
mysql_real_escape_string() is.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Escaping for PHP and MySQL

gosha bine wrote:
> On 09.08.2007 12:42 Sanders Kaufman wrote:
>> I just found out that an app I wrote doesn't allow the user to input
>> apostrophes into the textarea. If they do, the insert/update fails.
>>
>> I'm sure this issue has been done to death - but it's the first time
>> it's come up for me.
>>
>> What I'm doing is something like this:
>>
>> function UpdateRecord($iID, $sContent) {
>
> $sContent = addslashes($sContent);
>

mysql_real_escape_string() is much better for this.

>> $sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
>> $bSuccess = RunSQL($sSQL);
>> return $bSuccess;
>> }
>>
>> Is there a simple escape command
>
> Yes, see above
>
>> , or am I going to have to get all into writing some complex handler
>> for apostrophes and whatnot.
>
> For the real-world applications you have to use a complex handler, but
> there's no need to write it, just use an existing library like PDO,
> mysqli etc.
>
>>
>> Note: In this example, I'm *totally* ignoring the threat from SQL
>> injection. I just don't want apostrophes to crash the update/create.
>>
>
>
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Escaping for PHP and MySQL

ZeldorBlat wrote:

> But you haven't said which database you're using.

See subject line.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 50 days, 54 min.]

Command Line Interfaces, Again
http://tobyinkster.co.uk/blog/2007/08/02/command-line-again/

Re: Escaping for PHP and MySQL

ZeldorBlat wrote:
> On Aug 9, 6:42 am, Sanders Kaufman wrote:
>> I just found out that an app I wrote doesn't allow the user to input
>> apostrophes into the textarea. If they do, the insert/update fails.
>>
>> I'm sure this issue has been done to death - but it's the first time
>> it's come up for me.
>>
>> What I'm doing is something like this:
>>
>> function UpdateRecord($iID, $sContent) {
>> $sSQL = "UPDATE MyTable SET content='$sContent' where id=$iID";
>> $bSuccess = RunSQL($sSQL);
>> return $bSuccess;
>>
>> }
>>
>> Is there a simple escape command, or am I going to have to get all into
>> writing some complex handler for apostrophes and whatnot.
>
> Yes. But you haven't said which database you're using. If you're
> using MySQL you want mysql_real_escape_string().

Thanks - I'll look into that and addslashes.
BTW - did you notice the subject line of this post? :)

Re: Escaping for PHP and MySQL

Post removed (X-No-Archive: yes)

Re: Escaping for PHP and MySQL

Sanders Kaufman wrote:
> ZeldorBlat wrote:

>> Yes. But you haven't said which database you're using. If you're
>> using MySQL you want mysql_real_escape_string().

It's interesting that this function is not fully a part of PHP, but
rather relies on some libraries in MySQL.

Seems to me, if I was the PHP guys, I wouldn't have made it so. Must be
a liability risk-avoidance thing.

I guess that's just one more reason why PHP5's features are what I wanna
go to as quick as possible.

Re: Escaping for PHP and MySQL

Sanders Kaufman wrote:
> Sanders Kaufman wrote:
>> ZeldorBlat wrote:
>
>>> Yes. But you haven't said which database you're using. If you're
>>> using MySQL you want mysql_real_escape_string().
>
> It's interesting that this function is not fully a part of PHP, but
> rather relies on some libraries in MySQL.
>
> Seems to me, if I was the PHP guys, I wouldn't have made it so. Must be
> a liability risk-avoidance thing.
>
> I guess that's just one more reason why PHP5's features are what I wanna
> go to as quick as possible.

That's because it's a wrapper to the same function in MySQL. Why
duplicate effort - especially since you don't have all the information
available, anyway?

Maybe you want mysql_connect() and mysql_query() to be pure PHP
functions also?

The same is true in PHP5.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Escaping for PHP and MySQL

..oO(Sanders Kaufman)

>> ZeldorBlat wrote:
>
>>> Yes. But you haven't said which database you're using. If you're
>>> using MySQL you want mysql_real_escape_string().
>
>It's interesting that this function is not fully a part of PHP, but
>rather relies on some libraries in MySQL.

You would be surprised how many of PHP's functions are just wrappers
around external libraries. I would say that's the case for >90% of it.

>Seems to me, if I was the PHP guys, I wouldn't have made it so.

You would have rewritten all the functions of the MySQL library in PHP?
Think about it ...

Micha

Re: Escaping for PHP and MySQL

Jerry Stuckle wrote:
> Sanders Kaufman wrote:

>> It's interesting that this function is not fully a part of PHP, but
>> rather relies on some libraries in MySQL.
>>
>> Seems to me, if I was the PHP guys, I wouldn't have made it so. Must
>> be a liability risk-avoidance thing.
>>
>> I guess that's just one more reason why PHP5's features are what I
>> wanna go to as quick as possible.
>
> That's because it's a wrapper to the same function in MySQL. Why
> duplicate effort - especially since you don't have all the information
> available, anyway?

Gosh Jerry, you promised to ignore my posts; to not respond to any more
of them.

I'd appreciate it very much if you'd stick to your word of honor on this.

If you have something to offer - go ahead. But if you're just trolling
for a fight - this ain't the place for it.

Re: Escaping for PHP and MySQL

Michael Fesser wrote:

> You would be surprised how many of PHP's functions are just wrappers
> around external libraries. I would say that's the case for >90% of it.

I *am* surprised.

>> Seems to me, if I was the PHP guys, I wouldn't have made it so.
>
> You would have rewritten all the functions of the MySQL library in PHP?
> Think about it ...

No - not all. Didn't say that; didn't imply it.

I just thought that the subset of MySQL-related features were entirely
within the PHP binaries.

I guess I now know why PHP with MySQL support has to be compiled to
include the MySQL libraries.

Personally - I'm a recovering Microsoftie, so this whole thing about
compiling and recompiling other people's applications, with other other
people's applications still totally blows me away.

Re: Escaping for PHP and MySQL

Sanders Kaufman wrote:
> Jerry Stuckle wrote:
>> Sanders Kaufman wrote:
>
>>> It's interesting that this function is not fully a part of PHP, but
>>> rather relies on some libraries in MySQL.
>>>
>>> Seems to me, if I was the PHP guys, I wouldn't have made it so. Must
>>> be a liability risk-avoidance thing.
>>>
>>> I guess that's just one more reason why PHP5's features are what I
>>> wanna go to as quick as possible.
>>
>> That's because it's a wrapper to the same function in MySQL. Why
>> duplicate effort - especially since you don't have all the information
>> available, anyway?
>
> Gosh Jerry, you promised to ignore my posts; to not respond to any more
> of them.
>
> I'd appreciate it very much if you'd stick to your word of honor on this.
>
> If you have something to offer - go ahead. But if you're just trolling
> for a fight - this ain't the place for it.

No, just pointing out that this was one of the stupidest questions I've
seen in this newsgroup in a long time.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Escaping for PHP and MySQL

Sanders Kaufman wrote:
> Michael Fesser wrote:
>
>> You would be surprised how many of PHP's functions are just wrappers
>> around external libraries. I would say that's the case for >90% of it.
>
> I *am* surprised.
>
>>> Seems to me, if I was the PHP guys, I wouldn't have made it so.
>>
>> You would have rewritten all the functions of the MySQL library in PHP?
>> Think about it ...
>
> No - not all. Didn't say that; didn't imply it.
>
> I just thought that the subset of MySQL-related features were entirely
> within the PHP binaries.
>
> I guess I now know why PHP with MySQL support has to be compiled to
> include the MySQL libraries.
>
> Personally - I'm a recovering Microsoftie, so this whole thing about
> compiling and recompiling other people's applications, with other other
> people's applications still totally blows me away.

PHP doesn't recompile MySQL or any other applications. It just links
into the MySQL libraries.

Did you ever write a non-web based application - i.e. C/C++, which used
MS SQL? Or even a Windows application? Did you recompile MS SQL or
Windows for your application? Or did you just link to their libraries?


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Escaping for PHP and MySQL

Jerry Stuckle wrote:

> No, just pointing out that this was one of the stupidest questions I've
> seen in this newsgroup in a long time.

I'm still new to the whole Thunderbird/Firefox thing.
Can anyone tell me how to filter out messages like this?

I used to could do it in Outlook Express - but I can't figure out how it
works in Thunderbird(?).

Re: Escaping for PHP and MySQL

..oO(Sanders Kaufman)

>I just thought that the subset of MySQL-related features were entirely
>within the PHP binaries.

Nope, just the symbols, the names of the external functions.

>I guess I now know why PHP with MySQL support has to be compiled to
>include the MySQL libraries.
>
>Personally - I'm a recovering Microsoftie, so this whole thing about
>compiling and recompiling other people's applications, with other other
>people's applications still totally blows me away.

The external libraries are never recompiled (unless you do that of
course, but usually that's not necessary). What's compiled into PHP are
the names and references to the external functions, classes etc., so PHP
knows where it can find the actual binary code when it's requested.

It's really not that complicated.

Micha

Re: Escaping for PHP and MySQL

Sanders Kaufman wrote:
> Jerry Stuckle wrote:
>
>> No, just pointing out that this was one of the stupidest questions
>> I've seen in this newsgroup in a long time.
>
> I'm still new to the whole Thunderbird/Firefox thing.
> Can anyone tell me how to filter out messages like this?
>
> I used to could do it in Outlook Express - but I can't figure out how it
> works in Thunderbird(?).

ROFLMAO! We know you can't program. Can't figure out how to use
Thunderbird, either, huh?

Do you need help peeing? Or can you read the instructions?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: Escaping for PHP and MySQL

Michael Fesser wrote:
> .oO(Sanders Kaufman)

>> Personally - I'm a recovering Microsoftie, so this whole thing about
>> compiling and recompiling other people's applications, with other other
>> people's applications still totally blows me away.
>
> The external libraries are never recompiled (unless you do that of
> course, but usually that's not necessary). What's compiled into PHP are
> the names and references to the external functions, classes etc., so PHP
> knows where it can find the actual binary code when it's requested.
>
> It's really not that complicated.

Yeah - that's what I keep telling my grampa about his cable remote - but
he still gets goofy about the whole Video1/Video2 thing. :)

But it's really not that complicated.