escape_str in mysql - Printable Version

escape_str in mysql - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: escape_str in mysql (/showthread.php?tid=3316)

escape_str in mysql - El Forum - 09-24-2007

[eluser]displaynone[/eluser]
I have been looking for a similar bug, but I don't find it, so I decide to write a new one.
When I try to escape a string using escape_str function, I get incorrect results.
For example:

Code:
$query = $this->db->query('insert into table values (?, ?)', array('value1', 'value2 /\/\/\'));

The query result is:

Code:
insert into table values ('value1', 'value2 /\/\/\')

The error is in the last slash & quote.

The escape_str function is this:

Code:
function escape_str($str)    

{    

  // Escape single quotes

  return str_replace("'", "''", $str);

}

Why do you do this way if exists the function mysql_escape_string?

Thanks for your time and sorry for my english

escape_str in mysql - El Forum - 09-24-2007

[eluser]displaynone[/eluser]
Sorry!! I was wrong when I talk about the code of escape_str in MySQL, it's mssql code, but I don't get a correct string escaped yet.

escape_str in mysql - El Forum - 09-24-2007

[eluser]displaynone[/eluser]
In the DB_driver.php, in the function compile_binds, when the char "?" is replaced by the bind, it removes the slashes "\".

I add this into my CI code:

Code:
$sql = preg_replace('#'.preg_quote($this->bind_marker, '#').'#', str_replace('\\', '\\\\',str_replace('$', '\$', $val)), $sql, 1);

line: 525

Is this ok?