[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 225
  • Last Modified:

escape strings to be set to mysql queries

Hi,

I have some strings I'll have to send to a php script to be used in sql statements. I have some concerns about single quotes, blackslashes, etc that may foul up the sql statement:

  "Hi, I'll use some single quotes ('')in this statement!"

If I try passing that as is I will meet certain doom. Is there some premade function in javascript to escape the characters that will give sql a problem?

Thanks
0
minnirok
Asked:
minnirok
  • 4
  • 4
  • 2
1 Solution
 
BogoJokerCommented:
Hi minnirok,

There is a premade function in PHP.  Probably mysql_escape_real_quotes() should do your bidding.
But in javascript?

I think it would be a function that replaces all ' characters with \'
I don't know if one already exists in javascript though.

Joe P
0
 
minnirokAuthor Commented:
Hi Joe,

Yeah I saw the one in PHP but thought it'd be better to let the client do this work instead of putting it on the server? Don't know. I could make my own char replacement function if I have to.
0
 
ZylochCommented:
There is no built in function for Javascript that I know of. You can probably build one yourself, especially for quotes with simple regex in Javascript. BogoJoker, I believe you mean mysql_real_escape_string() which is a mysql library function. A similar one could be PHP's addslashes()
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ZylochCommented:
As for your comment, minnirok about the client doing the work, it is infinitely better to have the server do the work. You can never trust the client since they could somehow put a process in between their escaping and the server receiving the data. Having the server do it means that the server last sees it and the user cannot do anything malicious anymore.
0
 
BogoJokerCommented:
Oop, Zyloch your right.  I always try and remember the name of that function and always end up going to php.net and finding it anyways.  Hehe, thanks:
http://www.php.net/manual/en/function.mysql-real-escape-string.php

Agree with Zyloch.  The server should always have the last say, its much safer, and MUCH more predicatable because you have 100% control.  With javascript who knows, the user might even have javascript turned off!

Joe P
0
 
minnirokAuthor Commented:
Ok fair enough, so I just use it like this right:

<?php

    $passedParam1 = "My name is 'guy', I am from NYC";
    $passedParam2 = "My dog's name is 'Indy'";

    $strSql = "SELECT * FROM users WHERE field 1 = '" . mysql_real_escape_string($passedParam1) . "' AND field2 = '" . mysql_real_escape_string($passedParam2) . "'";

    // then execute.
?>

Thanks
0
 
ZylochCommented:
Quite right. You may also be interested in an alternative way to use it. It is really the same thing, but sometimes it is more organized:

$strSql = sprintf("SELECT * FROM %s", mysql_real_escape_string($table_name));

Of course, you would never have something that simple, but it gives you the general gist. If you have a lot of user variables, you may want to think about using sprintf to organize it a bit more.
0
 
minnirokAuthor Commented:
I must be doing something wrong, just tried the following:

$str1= "hello there";

$str2 = mysql_real_escape_string($str1);
   
echo $str2;


but I don' get anything actually printed - just blank! What did I do wrong?
0
 
minnirokAuthor Commented:
whoops nevermind - should have read the whole documentation page - we have to have a connection to the db before trying to use the function.

Thanks everyone.
0
 
ZylochCommented:
Yep :-) mysql_real_escape_string is a mysql library function, not a PHP one.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now