Hey all,
I'm stuck with the following:
The mysql_real_esca pe_string(conn, to, from, strlen(from)) function does not return the escaped string. So how can I go about writing a wrapper for it so that it RETURNS the 'to' string which in turn helps me fill out a query in the following manner using sprintf: -
unescaped_query = "INSERT into MYTABLE values ('%s', '%s')";
-
sprintf(escaped_query, unescaped_query, wrapper(<string argument no.1 that needs to be escaped>, wrapper(<string argument no.2 that needs to be escaped>);
-
/* Execute escaped_query */
You see the problem I'm running into is that the same "wrapper" function is going to be called more than once in a single sprintf statement. That is causing the return value to get overwritten after every call to "wrapper", leading to all values in the table being one and the same (as the return value of the last wrapper function call).
Can anybody help? :((
I'm sure this is a common problem and there must be a better and more established way of doing it. Just point me in the right direction.
Thanks in advance,
Sid :O)
3  4689  Atli 5,058
Recognized Expert Expert @srbakshi
Where did you get that info from?
According to the manual, this function is described as:
string mysql_real_esca pe_string ( string $unescaped_stri ng [, resource $link_identifie r ] )
Also, the way you use sprintf makes no sense according to the manual.
Doing something like this should work fine: -
$rawSQL = "INSERT into MYTABLE values ('%s', '%s')";
-
$formattedSQL = sprintf($rawSQL,
-
mysql_real_escape_string($firstValue)
-
mysql_real_escape_string($secondValue));
-
// Execute the formatted SQL
Atli 5,058
Recognized Expert Expert
Ahh ok.
As you didn't provide the language you were using, I assumed you were using PHP. (Usually a safe bet.)
Please try to include facts like these in your posts, so we are not forced to guess.
Unfortunately I've little experience with C, so I can't really help much.
I'll move this over to the C/C++ forum. Maybe the experts over there will be able to help.
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: Michael G |
last post by:
If I only escape the characters that mysql_real_escape_string recognizes, is
this adequate protection against SQL injection attacks?
I have read a number of archived posts plus I've read some of the info at
php.net. I am still not convinced as to what to do. The php folks claim that
using mysql_real_escape_string is all that is needed. Then on the other
hand, there is a myriad of opinions about that. I think I am inclined to
side with...
|
by: Marcus |
last post by:
Hello,
My php.ini file currently has magic quotes set to On, but I have read
that it is better to code with it off.
Currently with magic quotes on, I only use stripslashes() to properly
format strings that are displayed on the screen. I know that now with
magic quotes off, I will have to manually handle escaping special
characters with mysql_real_escape_string() or addslashes().
|
by: comp.lang.php |
last post by:
when trying to use the mysql_real_escape_string() function, the
following warning occurs:
First of all, the user is not 'web' trying to connect to the database,
secondly, what is mysql_real_escape_string() doing connecting to the
database, as 'web' or anyone else, and thirdly, why is this happening,
does anyone know?
|
by: matthud |
last post by:
<?php
//MAKE IT SAFE
$chunk = $_POST;
$title = $_POST;
$url = $_POST;
$tags = $_POST;
$user = $_POST;
$safe_chunk = mysql_real_escape_string(htmlentities($chunk));
$safe_title = mysql_real_escape_string(htmlentities($title));
|
by: vivek |
last post by:
Could someone please help me figure out why the memory usage
fluctuates when I use mysql_real_escape_string? I'm finding (what I
think are) memory leaks with a few mysql functions in php and I'm
trying to figure them all out. This one is pretty vexing. Thanks in
advance.
Here is example code:
class memTest {
function __construct() {
$con = mysql_connect("***************","*******","****");
| | |
by: zach |
last post by:
I created a comment form which will inserts the comments into a database
and displays them immediately. I want to make sure that its safe from
users inserting unwanted data into the database or executing queries.
Here's my php code, is this done right? Is there anything else I should
to to make it more secure?
$handle = mysql_connect($host,$user,$password) or die ('Sorry, looks
|
by: Pugi! |
last post by:
It is by accident that I noticed that I forgot to use
mysql_real_escape_string in part of my webapp.
I tested input with following text : Hélène 51°56'12'' http://www.mysite.org/folder
3 functions worked correctly and 1 failed:
The one that failed didn't have mysql_real_escape_string and neither
did 2 of the ones that worked: in those 2 I used prepared sql
statements (PEAR DB package). The other that I used was with...
|
by: Mandragon03 |
last post by:
I am using mysql_real_escape_string for the input of a form before it
is updated into the mysql database. Somthing like this:
$realHTMLText = mysql_real_escape_string($_POST);
$id = intval($_POST);
$UpdateString = "UPDATE table SET Content = '$realHTMLText' where ID
= $id";
This is on a form that allows you to edit the textarea. The problem I
|
by: roseple |
last post by:
Hi, can anyone please help me why I got this error every I uploaded files.
Error:
Here is the code on the said warning message:
# Gather all required data
$name = mysql_real_escape_string($dbLink, $_FILES);
$mime = mysql_real_escape_string($dbLink, $_FILES);
$size = $_FILES;
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
