[GLLUG] Retrieving a row from mysql
Jeremy Bowers
jerf at jerf.org
Tue Feb 17 12:09:34 EST 2004
Szymon Machajewski wrote:
> Jeremy,
>
> I have to disagree with you on using the function always.
>
> It will depend greatly on your database. What if you have a database
> where you retrieve data not only with PHP, but with Crystal Reports and
> other tools. What about the escape characters then ?
> You will see on the ODBC report: O\'Brien
Then you're not likely to use mysql_really_escape_characters. You're
tied to mysql by using those functions, and you've already got work to
do if you want to move to Crystal reports.
Using the wrong escaping/encoding function is always a bad idea. This
does not mean you should not use them.
This is part of the reason I was surprised at PHP. The Python database
interface actually provides a function that abstracts the database
escaping rules themselves away, so you can go from MySQL to Oracle to
Postgres and the escaping rules will follow correctly.
This is a weakness in your choice of language/libraries, and thus it is
even more important for you to make sure you're escaping correctly. That
requires more work then it should; sorry, I can't do much about that.
> For example you should have a sql_safe() function where you would
> define the escape characters you choose to use. Then you would use
> $comments = sql_safe($comments) to reset each value before using in a
> query.
> What works sometimes is simply replacing single quotes with back ticks.
> They look fine on the web page and in Crystal.
>
> So there are no blanket solutions and there is always a trade off.
I have to admit to finding this statement sort of ironic, since you just
described a correct blanket solution (if sql_safe takes its chars based
on the type of connection you are using). It is *always* worth making
sure your characters are correctly escaped relative to the environment
you are in, or you will almost certainly eventually regret it and have a
hard time fixing it.
(When dealing with the web, always make sure that:
* Special SQL characters like ' can be inserted into the database
correctly, and if you can edit the entries, that the ' comes back out to
the editing interface correctly, such that editing an entry and
immediately hitting submit doesn't change the database entry.
* Do the same for *all of* &, &, and &. I've had trouble
with every single one of those independently. These are *certain* to
come up if you're allowing some sort of content editing, but even in
other scenarios you'd be surprised where these pop up.
Again, if it's private, you can slack off on this... but don't fool
yourself, you ARE slacking off, and you may end up paying for it at the
worst time... or not, but it's a risk.)
Believe me, I'm trying to help; I've spent at least 20 hours in my life
tracking down stupid escaping issues, probably MUCH more, rather then
doing other interesting or productive work. (It's even *worse* when it's
not your bug, because the bug is in closed-source outside of your
control...) You do not want to develop bad habits in this regard. Ten
minutes getting it right now will pay off handsomely.
More information about the linux-user
mailing list