MiStr
asked on
PHP ADOdb and mysqli_real_escape_string()
My current codebase uses ADOdb and mysql php extension.
I am now converting codebase to use mysqli php extension, and cannot figure out what to do with the mysql_escape_string() function.
I have converted it to mysqli_real_escape_string( ), passing it $conn (ADOdb connection object) as param 1, and the original string as param 2.
It doesn't work. Error indicates that mysqli expected, but received "object"
Perhaps ADOdb doesn't need any escape_string functions anyways? Does it inherently escape strings when executing queries?
Plus, the code snippet where mysql_escape_string() is being used is NOT immediately involved in a query, but is populating an array.
I am now converting codebase to use mysqli php extension, and cannot figure out what to do with the mysql_escape_string() function.
I have converted it to mysqli_real_escape_string(
It doesn't work. Error indicates that mysqli expected, but received "object"
Perhaps ADOdb doesn't need any escape_string functions anyways? Does it inherently escape strings when executing queries?
Plus, the code snippet where mysql_escape_string() is being used is NOT immediately involved in a query, but is populating an array.
function some_function($x)
{
global $conn;
$this->exportArray[ $x] = mysqli_real_escape_string( $conn,
$this->holdArray[ $x] );
}
ASKER
I realize that mysql_real_escape_string() or mysqli_real_escape_string( ) is used for escaping strings.
However, using the new mysqli_real_escape_string( ) function, the first parameter is a DB CONNECTION parameter.
I am not asking (or caring about) the idea of escaping a string, but this is a question about the db connection object, as used in the ADOdb library.
Does anyone know the ADOdb library from sourceforge, and specifically how to use mysqli_real_escape_string( ) with it, ESPECIALLY how to use the ADOdb connection as the first parameter to this function?
Or is this escape function even needed when using the ADOdb library?
However, using the new mysqli_real_escape_string(
I am not asking (or caring about) the idea of escaping a string, but this is a question about the db connection object, as used in the ADOdb library.
Does anyone know the ADOdb library from sourceforge, and specifically how to use mysqli_real_escape_string(
Or is this escape function even needed when using the ADOdb library?
you can't use mysql_real_escape_string with ADOdb. It REQURES a mysql_connection() type connection resource ID.
you will have to recreate to function as your own custom function.
you will have to recreate to function as your own custom function.
ASKER
NOTE: this is for mysqli and not mysql.
From the php docs (http://www.php.net/manual/en/mysqli.real-escape-string.php), they mention the following:
> string mysqli_real_escape_string ( mysqli $link , string $escapestr )
> This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection
So, the question is really about the workings of ADOdb as used with MySQL. Is there a part of the ADOdb connection object that contains a mysqli connection resource ID?
OR - perhaps ADOdb just doesn't need the escaping functions, since it does this internally? I shouldn't have to create any custom functions... thats what the ADOdb library should already be solving...
From the php docs (http://www.php.net/manual/en/mysqli.real-escape-string.php), they mention the following:
> string mysqli_real_escape_string ( mysqli $link , string $escapestr )
> This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection
So, the question is really about the workings of ADOdb as used with MySQL. Is there a part of the ADOdb connection object that contains a mysqli connection resource ID?
OR - perhaps ADOdb just doesn't need the escaping functions, since it does this internally? I shouldn't have to create any custom functions... thats what the ADOdb library should already be solving...
No,
the ADOdb Library does it's own thing.
mysql_real_escape_string() is to prevent sql injection hacking.
ADOdb is still vulnerable to these attacks.
you need to create your own custom function in this case to protect against them.
the ADOdb Library does it's own thing.
mysql_real_escape_string()
ADOdb is still vulnerable to these attacks.
you need to create your own custom function in this case to protect against them.
ASKER
After more digging into ADOdb, I encountered the qstr() function. It not only quotes a string properly for DB insertion, but also escapes strings, strips slashes, etc.. It uses mysqli_real_escape_string( ) behind the scenes..
Eg. $s = $db->qstr(HTTP_GET_VARS['n ame'],get_ magic_quot es_gpc());
So, this should work.
Eg. $s = $db->qstr(HTTP_GET_VARS['n
So, this should work.
I don't think it uses mysql_real_esacpe_string() in the backgroud.
ADODB can connect to virtually any DB, if it used mysql_anything it would make it mysql specific which it's not.
So the function looks legit, who ever told you it uses mysql_real_escape_string() is miss informed.
if you open you adodb php files, look for the qstr() function, then you will see what it is doing and how it's
doing it.
p.s. this could take a lot of searching.
ADODB can connect to virtually any DB, if it used mysql_anything it would make it mysql specific which it's not.
So the function looks legit, who ever told you it uses mysql_real_escape_string()
if you open you adodb php files, look for the qstr() function, then you will see what it is doing and how it's
doing it.
p.s. this could take a lot of searching.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
so if you had a sting
$string = "O'Connor";
you would use
$conn = mysqli_connect("server", "user", "Password");
mysqli_select_db("mydb");
$sql = "SELECT * FROM mydb where COLUMN = '".mysqli_real_escape_stri
mysqli_query($sql);
...//
etc.