CodeIgniter Forums
escape or escape_str - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: escape or escape_str (/thread-18106.html)



escape or escape_str - El Forum - 04-25-2009

[eluser]berkan[/eluser]
Hello.

I looked in database library files and found the function escape. As i understand escape function uses escape_str with some extras. It adds single quotes to the string and tests the null, boolean variables.

I couldn't find where the escape_str function is.

What is difference between them.?

Escape function adds single quotes to the string.I don't want it to do that. What is the benefit of adding quotes.?

What do you recommend.?
Thanks for giving time.


escape or escape_str - El Forum - 04-26-2009

[eluser]TheFuzzy0ne[/eluser]
The escape() method is the method that should be called by you. It decides what kind of input you've supplied and acts appropriately.

If you supplied a string, it uses escape_str() to escape the string.
If you supplied a boolean value, it's replaced with 1 or 0.
If you specify NULL, the value is replaced with 'NULL' (string).

I doubt you'll ever need to call upon escape_str() directly. I'd recommend you just stick to using the escape() method.


escape or escape_str - El Forum - 04-26-2009

[eluser]berkan[/eluser]
Thanks for reply.

Why does escape function adds single quotes to the string value. If I modify, will that be a security problem.


Code:
function escape($str)
    {    
        switch (gettype($str))
        {
            case 'string'    :    $str = "'".$this->escape_str($str)."'";
                break;
            case 'boolean'    :    $str = ($str === FALSE) ? 0 : 1;
                break;
            default            :    $str = ($str === NULL) ? 'NULL' : $str;
                break;
        }        

        return $str;
    }



escape or escape_str - El Forum - 04-26-2009

[eluser]TheFuzzy0ne[/eluser]
Yes, it will be a security threat and also you won't have a valid SQL query.

Let's say you wanted to insert some data into an imaginary table:

Code:
$this->db->where('user_id', '1');
$this->db->insert('imaginary_table', array('username' => 'some name'));

If the string was not escaped, the resulting query would look something like this:

Code:
INSERT INTO imaginary_table (username) VALUES(some name) WHERE user_id = '1';

This is not valid SQL, as "some name" does not appear within quotes so your SQL database won't know it's a string. Escaping it adds those quotes, so it will look more like this:

Code:
INSERT INTO imaginary_table (username) VALUES('some name') WHERE user_id = '1';

If you pass a string to $this->db->escape(), it is automatically escaped using your databases native escape function (to prevent SQL injection attacks), which is essentially what escape_str() does.

I recommend you stick with $this->db->escape(), as it does everything you should need it to. If you're using the active record class, then your data is escaped automatically.


escape or escape_str - El Forum - 04-26-2009

[eluser]berkan[/eluser]
Thank you man. Have a good day.