×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Rehash of escaping strings to/from mysql/mariadb?

Rehash of escaping strings to/from mysql/mariadb?

Rehash of escaping strings to/from mysql/mariadb?

(OP)
Perhaps many of us must work with others' programs and make improvements each time.
For years I've been doing just this especially when it relates to db access.
While all my new work uses PDO prepared statements there is still a fair quantity of mysqli code to be addressed.
Currently these older methods are using the mysqli_real_escape_string before placing string fields into the database and a combination of htmlspecialchars() and preg_replace are used when data is taken out of the database.

While I'm in the process of doing another set of revisions I've been researching the opinions of others regarding the recommended technique to handle this.

It appears that most/all of the mysqli methods are procedural and not OO but the PDO is always OO.

What are everyone's views on the methods to cleanse the strings to/from in these cases?

Examples if you have them would be appreciated.

Thanks,
bigears

RE: Rehash of escaping strings to/from mysql/mariadb?

Quote (BobMCT)

It appears that most/all of the mysqli methods are procedural and not OO but the PDO is always OO.

Actually, mysqli methods can be accessed both procedurally or through OO calls. It just depends how the library is used.

You can instantiate mysqli as an object, and then call any of its methods like $mysli->methodName.

With that said, the methods themselves will be the same, so other than keeping your code in one style of code over another, there is no difference in the result of the calls.

The $mysql->real_escape_string method is pretty good at cleaning data bound for a query.

From the PHP online manual (http://php.net/manual/en/mysqli.real-escape-string...):

CODE

$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city = "'s Hertogenbosch";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s\n", $mysqli->sqlstate);
}

$city = $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", $mysqli->affected_rows);
}

$mysqli->close(); 

Deeper cleansing of data passed onto a query would be dependent on the data being introduced. i.e Its not going to be easy finding a solution that can work for your scenario, if you need to clean out very specific things.





----------------------------------
Phil AKA Vacunita
----------------------------------
OS-ception: Running Linux on a Virtual Machine in Windows which itself is running in a Virtual Machine on Mac OSx.

Web & Tech

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close