PHP Classes
Icontem

Subject: multidatabase special chars escaping


  Search   All class groups All class groups   Latest entries Latest entries   Top 10 charts Top 10 charts   Newsletter Newsletter   Blog Blog   Forums Forums   Help FAQ Help FAQ  
  Login   Register  
Recommend this page to a friend!

      Metabase   All threads   multidatabase special chars escaping   (Un) Subscribe thread alerts  
Subject:multidatabase special chars escaping
Summary:I'm looking for universal escaping way
Messages:2
Author:Kaurov Eugene
Date:2006-02-09 17:30:29
Update:2006-02-09 19:07:52
 

  1. multidatabase special chars escaping   Reply  
Picture of Kaurov Eugene
Kaurov Eugene
2006-02-09 17:30:29
Question: reccommend me please universal approach of special chars escaping that will works with any database

My problem:

Description:
$sql="INSERT INTO table (field, field2) VALUES ('$value', '$value1')";
$metabase->Query($sql);

$value and $value1 is GET or POST, any. I have to escape special chars for safe.

For mySQL it looks $value=addslashes($value);
But when I tried it for Oracle my text was writed in database with backslashes.

If I want to create databaseindependent software I have to write

if ($metabase->database_type=='mysql') $value=addslashes($value);
if ($metabase->database_type=='oci') $value= str_replace("'", "''", $value);

It approach is bad becouse I have to list each database type. And str_replace('"', '""', $value) is strongly depended for query quotes: if I'll write
$sql='INSERT INTO table (field, field2) VALUES ("$value", "$value1")';
It would be error.

How may I write database independent code? My Oracle knowledges is weak, may be I don't know how escaping works with Oracle?

  2. Re: multidatabase special chars escaping   Reply  
Picture of Manuel Lemos
Manuel Lemos
2006-02-09 19:07:52
You can use the Get*FieldValue functions to ask Metabase API convert database independent values to the respective representation in the target database format. That will provide the necessary escaping and format conversion when needed.

Alternatively you can also use prepared statements. These allow you to define placeholders in a SQL query marked as ? . Those placeholders are replaced by parameter values that you define when the query are executed.

Take a look at the tutorial document as it explains how both solutions work. Just let me know if you still have doubts.

 
  Advertise on this site Advertise on this site   Site map Site map   Statistics Statistics   Site tips Site tips   Privacy policy Privacy policy   Contact Contact  
For more information send a message to :
info at phpclasses dot org.
Copyright (c) Icontem 1999-2008 PHP Classes - PHP Class Scripts
  PHP Book Reviews - Reviews of books and other products