Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming escape or escape_str
escape or escape_str
  • El Forum
    Guest
  •  
#1
04-25-2009, 07:19 PM

[eluser]berkan[/eluser]
Hello.

I looked in database library files and found the function escape. As i understand escape function uses escape_str with some extras. It adds single quotes to the string and tests the null, boolean variables.

I couldn't find where the escape_str function is.

What is difference between them.?

Escape function adds single quotes to the string.I don't want it to do that. What is the benefit of adding quotes.?

What do you recommend.?
Thanks for giving time.
  • El Forum
    Guest
  •  
#2
04-26-2009, 04:43 AM

[eluser]TheFuzzy0ne[/eluser]
The escape() method is the method that should be called by you. It decides what kind of input you've supplied and acts appropriately.

If you supplied a string, it uses escape_str() to escape the string.
If you supplied a boolean value, it's replaced with 1 or 0.
If you specify NULL, the value is replaced with 'NULL' (string).

I doubt you'll ever need to call upon escape_str() directly. I'd recommend you just stick to using the escape() method.
  • El Forum
    Guest
  •  
#3
04-26-2009, 06:28 AM

[eluser]berkan[/eluser]
Thanks for reply.

Why does escape function adds single quotes to the string value. If I modify, will that be a security problem.


Code:
function escape($str)
    {    
        switch (gettype($str))
        {
            case 'string'    :    $str = "'".$this->escape_str($str)."'";
                break;
            case 'boolean'    :    $str = ($str === FALSE) ? 0 : 1;
                break;
            default            :    $str = ($str === NULL) ? 'NULL' : $str;
                break;
        }        

        return $str;
    }
  • El Forum
    Guest
  •  
#4
04-26-2009, 06:48 AM

[eluser]TheFuzzy0ne[/eluser]
Yes, it will be a security threat and also you won't have a valid SQL query.

Let's say you wanted to insert some data into an imaginary table:

Code:
$this->db->where('user_id', '1');
$this->db->insert('imaginary_table', array('username' => 'some name'));

If the string was not escaped, the resulting query would look something like this:

Code:
INSERT INTO imaginary_table (username) VALUES(some name) WHERE user_id = '1';

This is not valid SQL, as "some name" does not appear within quotes so your SQL database won't know it's a string. Escaping it adds those quotes, so it will look more like this:

Code:
INSERT INTO imaginary_table (username) VALUES('some name') WHERE user_id = '1';

If you pass a string to $this->db->escape(), it is automatically escaped using your databases native escape function (to prevent SQL injection attacks), which is essentially what escape_str() does.

I recommend you stick with $this->db->escape(), as it does everything you should need it to. If you're using the active record class, then your data is escaped automatically.
  • El Forum
    Guest
  •  
#5
04-26-2009, 06:57 AM

[eluser]berkan[/eluser]
Thank you man. Have a good day.




Theme © iAndrew 2016 - Forum software by © MyBB