All geek questions in one place

Mysql_real_escape_string for multibyte without connection?

may i always do

SET NAMES 'utf8'

to mysql connection (so I need multibyte screens).

Is there a safe alternative to mysql_real_escape_string that does not need mysql connection?

On the official page, I found a comment that uses str_replace as follows:

 if(!empty($inp) && is_string($inp)) { return str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z') , $inp); }

enough?

And why does mysql_real_escape_string need the current charcaterset if it only avoids the same values? (as described on the official php.net/mysql_real_escape_string page)

thanks

+4
source share
3 answers

first, there are many database abstraction libraries out there

(I used dbFacile before: https://github.com/alanszlosek/dbFacile ).

also processed sql statements are ALWAYS a great idea.

but for your actual question ...

from this post: Alternative to mysql_real_escape_string without connecting to DB

I really think this is a good alternative:

 public function escape($string) { $return = ''; for($i = 0; $i < strlen($string); ++$i) { $char = $string[$i]; $ord = ord($char); if($char !== "'" && $char !== "\"" && $char !== '\\' && $ord >= 32 && $ord <= 126) $return .= $char; else $return .= '\\x' . dechex($ord); } return $return; }
+1
source

There is a question similar to yours:

Alternative mysql_real_escape_string without connecting to DB

0
source

You must use mysql_real_escape_string. When you create a filter yourself, you will always have a chance that a hacker will make a workaround. Mysql_real_escape_string, on the other hand, is always up to date. Creating a mysql connection is not a big job if that is what you have in mind. Most of my sites connect to every pageview and they still work;)

0
source

Source: https://habr.com/ru/post/1338335/

More articles:


All Articles