mysql_real_escape_string vs mysql_escape_string


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/public_html/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
48 views
According to the documentation, you should only use the function mysql_real_escape_string.
As I understand it, this is mainly due to the use of Unicode and truly justified.

Question: how often mysql_escape_string wrong and is it possible in languages with native Unicode support to use in its implementation like:
/** * Escape string for mysql. Don't use native function * because it doesn't work without connect. */ exports.escapeStr = function(str) { return str.replace(/[\\\\"']/g, "\\\\$&").replace(/[\]/g, "\\\") .replace(/[\]/g, "\\\").replace(/\\x00/g, "\\\\0"); };


UPD: the code Above is not complete, it contains not all the symbols need to be escaped. Let's assume that replace for \\b, \\t, \\Z, _, % also present:
exports.escapeStr = function(str) { return str.replace(/[\\\\"']/g, "\\\\$&").replace(/\/g, "\\\") .replace(/\/g, "\\\").replace(/\\x00/g, "\\\\0") .replace(/\\b/g, "\\\\b").replace(/\\t/g, "\\\\t") .replace(/\\x32/g, "\\\\Z") // \\Z = ASCII 26 .replace(/_/g, "\\\\_").replace(/%/g, "\\\\%"); };
by | 48 views

5 Answers

0 like 0 dislike
I think You're wrong more often than those who did the function mysql_real_escape_string. I don't want to say that you are a worse program, but only that:
1 — this function not only uses Unicode and the encoding of the current connection.
2 — those who wrote this feature, perhaps now is not the same mistake, which You do not know
3 — these four substitutions may be not enough for complete tranquility
4 — it is trite running faster
by
0 like 0 dislike
finally go into bind parameters. except for the lack of such problems in the plus will not re-parse the query each time to be fulfilled.
by
0 like 0 dislike
Here it is necessary to approach from the side, And do you use forbidden characters in the project?
\r
Personally, I have, for example, in the current project the data symbols are not used, so I just banned them in the white list, and the function mysql_real_escape_string refused as unnecessary.
by
0 like 0 dislike
On stackoverflow looking for right? =)
\rgoo.gl/LgdZi
\r
A brief retelling: it is for screening need information about the encoding of the database connection.
Downstairs, however, was given supposedly safe function.
by
0 like 0 dislike
If latin1, then nafig this real_escape.
\r
In the trash-the code in a single script are usually a dozen or so escapes. ATO and more. And if you use real_escape where it is not needed, it will be 1 query to the database 1 real_escape. At a high load may arise on the handbrake.
by

Related questions

0 like 0 dislike
1 answer
asked Jun 4, 2019 by givemoneybiatch
0 like 0 dislike
1 answer
0 like 0 dislike
1 answer
0 like 0 dislike
5 answers
asked Apr 4, 2019 by ericcartman
0 like 0 dislike
1 answer
asked Apr 1, 2019 by nepster-web
110,608 questions
257,186 answers
0 comments
28,035 users