mysql_real_escape_string vs mysql_escape_string

Question

mysql_real_escape_string vs mysql_escape_string

Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/public_html/qa-theme/donut-theme/qa-donut-layer.php on line 274

48 views

According to the documentation, you should only use the function mysql_real_escape_string.
As I understand it, this is mainly due to the use of Unicode and truly justified.

Question: how often mysql_escape_string wrong and is it possible in languages with native Unicode support to use in its implementation like:

/** * Escape string for mysql. Don't use native function * because it doesn't work without connect. */ exports.escapeStr = function(str) { return str.replace(/[\\\\"']/g, "\\\\$&").replace(/[\]/g, "\\\") .replace(/[\]/g, "\\\").replace(/\\x00/g, "\\\\0"); };

UPD: the code Above is not complete, it contains not all the symbols need to be escaped. Let's assume that replace for \\b, \\t, \\Z, _, % also present:

exports.escapeStr = function(str) { return str.replace(/[\\\\"']/g, "\\\\$&").replace(/\/g, "\\\") .replace(/\/g, "\\\").replace(/\\x00/g, "\\\\0") .replace(/\\b/g, "\\\\b").replace(/\\t/g, "\\\\t") .replace(/\\x32/g, "\\\\Z") // \\Z = ASCII 26 .replace(/_/g, "\\\\_").replace(/%/g, "\\\\%"); };

asked Mar 22, 2019 by Sannis | 48 views

5 Answers

Related questions

0 like 0 dislike

1 answer

"Eternal" process setInterval vs setTimeout?

asked Jun 4, 2019 by givemoneybiatch

0 like 0 dislike

1 answer

Node.js vs Python for streaming audio content?

asked May 22, 2019 by doublewaffle

0 like 0 dislike

1 answer

Can the VS Code to debug js modules/applications node.js?

asked May 20, 2019 by mindtester

0 like 0 dislike

5 answers

Async Node.js vs Java, what's the catch?

asked Apr 4, 2019 by ericcartman

0 like 0 dislike

1 answer

SSE vs SOCKET.IO

asked Apr 1, 2019 by nepster-web

Sannis · Answer 1 · 2019-03-24T09:00:18+0000

I think You're wrong more often than those who did the function mysql_real_escape_string. I don't want to say that you are a worse program, but only that:
1 — this function not only uses Unicode and the encoding of the current connection.
2 — those who wrote this feature, perhaps now is not the same mistake, which You do not know
3 — these four substitutions may be not enough for complete tranquility
4 — it is trite running faster

taliban · Answer 2 · 2019-03-24T09:00:18+0000

finally go into bind parameters. except for the lack of such problems in the plus will not re-parse the query each time to be fulfilled.

Sannis · Answer 3 · 2019-03-24T09:00:18+0000

Here it is necessary to approach from the side, And do you use forbidden characters in the project?
\r
Personally, I have, for example, in the current project the data symbols are not used, so I just banned them in the white list, and the function mysql_real_escape_string refused as unnecessary.

taliban · Answer 4 · 2019-03-24T09:00:18+0000

On stackoverflow looking for right? =)
\rgoo.gl/LgdZi
\r
A brief retelling: it is for screening need information about the encoding of the database connection.
Downstairs, however, was given supposedly safe function.

Sannis · Answer 5 · 2019-03-24T09:00:18+0000

If latin1, then nafig this real_escape.
\r
In the trash-the code in a single script are usually a dozen or so escapes. ATO and more. And if you use real_escape where it is not needed, it will be 1 query to the database 1 real_escape. At a high load may arise on the handbrake.

mysql_real_escape_string vs mysql_escape_string

Please log in or register to add a comment.

Please log in or register to answer this question.

5 Answers

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Please log in or register to add a comment.

Related questions

Most popular tags