PHP - escaping parameter values

Thread: PHP - escaping parameter values

Search this list only Search all lists
PHP - escaping parameter values
	2006-10-24 16:30:52
This message is mainly for Tomash: This is about escaping strings in the PHP code before they are used in SQL statements. I've noticed that some strings will be escaped twice before they are used in SQL statements because the arguments are encoded in one function and then passed to another function, which encodes them again. Example: function one($name) { $name = pg_escape_string($name); two($name); ...do something with $name here... } function two($name) { $name = pg_escape_string($name); ...do something with $name here... } You can see that function two will have a doubly-escaped $name variable. As a solution, we should always pass parameters in their raw form and allow the function to take care of the encoding: function one($name) { $escapedName = pg_escape_string($name); two($name); ...do something with $escapedName here... } function two($name) { $escapedName = pg_escape_string($name); ...do something with $escapedName here... } Please let me know what you think. - Paul

PHP - escaping parameter values
	2006-10-25 09:40:56
Yes - agree, I will look over storageServer, alib and hub source to implement it. Tomá¹ Hlava thlavaemail.cz P.S. I've been registered on sourceforge with username tom22 On Tue, 24 Oct 2006 18:30:52 +0200 (CEST) Paul Baranowski wrote: > This message is mainly for Tomash: > > This is about escaping strings in the PHP code before they are used in > SQL statements. I've noticed that some strings will be escaped twice > before they are used in SQL statements because the arguments are encoded > in one function and then passed to another function, which encodes them > again. > > Example: > > function one($name) > { > $name = pg_escape_string($name); > two($name); > ...do something with $name here... > } > > function two($name) > { > $name = pg_escape_string($name); > ...do something with $name here... > } > > You can see that function two will have a doubly-escaped $name variable. > As a solution, we should always pass parameters in their raw form and > allow the function to take care of the encoding: > > function one($name) > { > $escapedName = pg_escape_string($name); > two($name); > ...do something with $escapedName here... > } > > function two($name) > { > $escapedName = pg_escape_string($name); > ...do something with $escapedName here... > } > > Please let me know what you think. > > - Paul

PHP - escaping parameter values
	2006-10-25 14:46:23
Please dont do it - i have already done it, just not checked in!!!! Tomas Hlava wrote: > Yes - agree, I will look over storageServer, alib and hub source to > implement it. > > Tomáš Hlava > thlavaemail.cz > > P.S. I've been registered on sourceforge with username tom22 > > On Tue, 24 Oct 2006 18:30:52 +0200 (CEST) Paul Baranowski wrote: >> This message is mainly for Tomash: >> >> This is about escaping strings in the PHP code before they are used in >> SQL statements. I've noticed that some strings will be escaped twice >> before they are used in SQL statements because the arguments are encoded >> in one function and then passed to another function, which encodes them >> again. >> >> Example: >> >> function one($name) >> { >> $name = pg_escape_string($name); >> two($name); >> ...do something with $name here... >> } >> >> function two($name) >> { >> $name = pg_escape_string($name); >> ...do something with $name here... >> } >> >> You can see that function two will have a doubly-escaped $name variable. >> As a solution, we should always pass parameters in their raw form and >> allow the function to take care of the encoding: >> >> function one($name) >> { >> $escapedName = pg_escape_string($name); >> two($name); >> ...do something with $escapedName here... >> } >> >> function two($name) >> { >> $escapedName = pg_escape_string($name); >> ...do something with $escapedName here... >> } >> >> Please let me know what you think. >> >> - Paul >

[1-3]

about | contact Other archives ( Real Estate discussion Medical topics )