PHP :: Request #37011 :: I need autoescape fot mysql code

Request #37011	I need autoescape fot mysql code
Submitted:	2006-04-07 16:56 UTC	Modified:	2006-04-07 17:03 UTC
From:	kpoxa at kpoxa dot net	Assigned:
Status:	Wont fix	Package:	Feature/Change Request
PHP Version:	4.4.2	OS:	Any
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!

Your email address: MUST BE VALID
Solve the problem: 44 + 17 = ?
Subscribe to this entry?

[2006-04-07 16:56 UTC] kpoxa at kpoxa dot net

Description:
------------
In perl+mysql qyury params may by autoescaped,
in php i must user mysql_escape_string,
wy not exists function like this:

use 

$ecaped_query = mysql_make_query("select * from table where id=? and field2=? ORDER BY ID",1,'Here i may savely put any data this " and over untrusted symbols');

Reproduce code:
---------------
function mysql_make_query() {
    $num_args = func_num_args();
    if ($num_args==0) return '';
    $format = func_get_arg(0);
    if ($num_args==1) return $format;

    $strings = explode('?',$format);
    $result  = array_shift($strings);
    for ($i=1;$i<$num_args;$i++) {
        $result .= "'".mysql_escape_string(func_get_arg($i))."'";//'"
        $result .= array_shift($strings);
    }
    return $result;
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-04-07 17:03 UTC] tony2001@php.net

Use PDO_MYSQL for that.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Jun 26 16:01:30 2024 UTC