mysql_escape_stringDescriptionmysql_escape_string() replaces characters that have a special meaning in MySQL with an escape sequence. The function is used to escape the individual values for a query, rather than an entire query string. i.e. // Wrong $name = "Jimmy U'luue"; $query = "INSERT INTO table (name) VALUES ('$name')"; $query = mysql_escape_string ($query); // Right $name = "Jimmy U'luue"; $name = mysql_escape_string ($name); $query = "INSERT INTO table (name) VALUES ('$name')";In the first example listed, the query will be converted toINSERT INTO table (name) VALUES (\'Jimmy U\'luue\'). This is no longer a valid query, due to the escaping of the single quotes that used to delimit the name value. In the second example, the query will be converted to INSERT INTO table (name) VALUES ('Jimmy U\'luue'). This query is valid; the quotes that delimit the string are intact, while the quote inside the string has been escaped. If the quote within the name had not been escaped, the query would have been broken by it. The characters that are escaped are listed in the following table.
ExampleExample 800. Show the characters that mysql_escape_string() escapes <table border="1" cellpadding="5"> <tr> <td>Character</td> <td>ASCII Value</td> <td>Escape Sequence</td> </tr> <?php $cell = '<td align="center">%s</td>'; for ($x=0; $x < 256; $x++) { $chr = chr ($x); $esc = mysql_escape_string ($chr); // Provide names for unprintable characters if ($esc != $chr) { switch ($x) { case 0: $chr = 'NUL'; break; case 10: $chr = '\n'; break; case 13: $chr = '\r'; break; case 26: $chr = 'SUB'; break; } printf ("<tr>$cell$cell$cell</tr>", $chr, $x, $esc); } } ?> </table> Example 801. Escape a query using mysql_escape_string() <?php // Included code that connects to a MySQL server and sets a default database // See the MySQL Functions chapter introduction for the source code for the file include ('mysql_connect.inc.php'); // Escape any naught characters in $HTTP_GET_VARS['user'] $user = mysql_escape_string ($HTTP_GET_VARS['user']); // Storing our query in a variable helps us debug more easily $query = "SELECT * FROM table WHERE user = '$user'"; mysql_query ($query) or die ("Query '$query' failed with error message: \"" . mysql_error () . '"'); echo "Query '$query' succeeded."; ?>
PHP Functions Essential Reference. Copyright © 2002 by New Riders Publishing
(Authors: Zak Greant, Graeme Merrall, Torben Wilson, Brett Michlitsch).
This material may be distributed only subject to the terms and conditions set forth
in the Open Publication License, v1.0 or later (the latest version is presently available at
http://www.opencontent.org/openpub/).
The authors of this book have elected not to choose any options under the OPL. This online book was obtained
from http://www.fooassociates.com/phpfer/
and is designed to provide information about the PHP programming language, focusing on PHP version 4.0.4
for the most part. The information is provided on an as-is basis, and no warranty or fitness is implied. All
persons and entities shall have neither liability nor responsibility to any person or entity with respect to
any loss or damage arising from the information contained in this book.
|