4

let's consider i will always do a 

SET NAMES 'utf8'

to mysql connection (so I need multibyte escapes).

Is there a safe alternative to mysql_real_escape_string that doesnt' need a mysql connection?

In the official page i found a comment that uses str_replace like this:

if(!empty($inp) && is_string($inp)) { 
    return str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"),
                       array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z') , $inp); 
}

is this enough?

And why mysql_real_escape_string needs the current charcaterset if it will only escape the same values? (as described in the official page php.net/mysql_real_escape_string)

thanks

dynamic
  • 46,985
  • 55
  • 154
  • 231
  • 3
    `mysql_real_escape_string()` takes into account the character set - what if another developer switched charsets on you? Then you have a hole that could be easily fixed by using the accepted escaping function. – alex Feb 03 '11 at 23:20
  • is there a reason you haven't got a connection? You will need it to submit the data anyway. – DeveloperChris Feb 03 '11 at 23:23
  • @alex: i am the only developer here using my framework – dynamic Feb 03 '11 at 23:34
  • @alex: as far as I know, `SET NAMES 'utf8'` is only used for the current connection, so nobody should be able to change the character set so far. – CodeZombie Feb 04 '11 at 00:37
  • @ZombieShooter What if someone calls `SET NAMES` with a new character set? – alex Feb 04 '11 at 00:39
  • @alex: Someone else usually uses its own connection. `SET NAMES 'utf8'` is related to the connection and not changing a global server setting. "Every client has connection-related character set and collation system variables." ([Quote from the MySQL Manual](http://dev.mysql.com/doc/refman/5.1/en/charset-connection.html)) – CodeZombie Feb 04 '11 at 00:45
  • can we focus on my question? lol. I am the only mysql user and no one else will change my charset – dynamic Feb 04 '11 at 01:42

3 Answers3

1

first off, there are lots of database abstraction libraries out there

(i have used dbFacile before : https://github.com/alanszlosek/dbFacile).

also sql prepaired statements are ALWAYS a great idea.

but for your actual question...

from this post: Alternative to mysql_real_escape_string without connecting to DB

i really think this is a good alternative:

public function escape($string) {
    $return = '';
    for($i = 0; $i < strlen($string); ++$i) {
        $char = $string[$i];
        $ord = ord($char);
        if($char !== "'" && $char !== "\"" && $char !== '\\' && $ord >= 32 && $ord <= 126)
            $return .= $char;
        else
            $return .= '\\x' . dechex($ord);
    }
    return $return;
}
Community
  • 1
  • 1
xero
  • 4,077
  • 22
  • 39
  • 1
    This function has been copied to a few questions, but I don't see how it works. The MySQL documentation lists a table (9.1) of back-slash escape sequences that are recognised (http://dev.mysql.com/doc/refman/5.0/en/string-literals.html) and clearly states that the backslash will ignored in other circumstances, so "\x" is just interpreted as "x". So is "\xNN" supposed to be interpreted as an ordinal character in hexadecial? It surely just becomes "xNN"? – Jason Nov 06 '13 at 14:23
0

There is a question similar to yours:

Alternative to mysql_real_escape_string without connecting to DB

Community
  • 1
  • 1
CodeZombie
  • 5,367
  • 3
  • 30
  • 37
  • 1
    and none of the reply there are good. and it's even different question because I said i'll always use UTF-8 charset where in the other question there isn't this spec – dynamic Feb 04 '11 at 01:19
0

You should use mysql_real_escape_string. When you make a filter yourself you'll always have a chance a hacker makes a workaround. Mysql_real_escape_string on the other hand, is always up to date. Making a mysql connection isn't to much work if that's what you mean. Most of my sites establish a connection every pageview, and they are still working;)

Simon
  • 5,464
  • 6
  • 49
  • 85