According to the documentation, you should only use the function mysql_real_escape_string.
As I understand it, this is mainly due to the use of Unicode and truly justified.
Question: how often mysql_escape_string wrong and is it possible in languages with native Unicode support to use in its implementation like:
/** * Escape string for mysql. Don't use native function * because it doesn't work without connect. */ exports.escapeStr = function(str) { return str.replace(/[\\\\"']/g, "\\\\$&").replace(/[\]/g, "\\\") .replace(/[\]/g, "\\\").replace(/\\x00/g, "\\\\0"); };
UPD: the code Above is not complete, it contains not all
the symbols need to be escaped. Let's assume that replace for \\b, \\t, \\Z, _, % also present:
exports.escapeStr = function(str) { return str.replace(/[\\\\"']/g, "\\\\$&").replace(/\/g, "\\\") .replace(/\/g, "\\\").replace(/\\x00/g, "\\\\0") .replace(/\\b/g, "\\\\b").replace(/\\t/g, "\\\\t") .replace(/\\x32/g, "\\\\Z") // \\Z = ASCII 26 .replace(/_/g, "\\\\_").replace(/%/g, "\\\\%"); };