Use of pg_escape

Skip site navigation (1) Skip section navigation (2)

Peripheral Links

Text Size: Normal / Large
Donate
Contact

Header And Logo

The world's most advanced open source database.

Site Navigation

Use of pg_escape_string()

From: Sylvain Racine <syracine(at)sympatico(dot)ca>
To: pgsql-php(at)postgresql(dot)org
Subject: Use of pg_escape_string()
Date: Sun, 22 Nov 2009 14:22:07 -0500
Message-id: <BLU0-SMTP3034F7FE7C5F0BEA0009A5FD9F0@phx.gbl> <text/plain>

Hello,

I use to hear about to escape every variables who come from user in PHP.Most programmers around me use MySQL with mysql_escape_string(). BecauseI program with PostgreSQL, I take advantage to use pg_escape_string().Everything goes well, up I entered data with apostrophe(').pg_escape_string() escapes my apostrophe with another apostrophe ('').My data are well store in database. No error... except that appears adouble apostrophe. This is not what I want.

Maybe something is wrong in my program. Here is a sample of what I useto store data in table "personnes" which have two columns: firstname,lastname. I remove database connection and construction of objectsMinute and Personnes.


Ex: Nathalie Prud'homme gives Nathalie Prud''homme...

$minute->personnes->firstname = $_POST["firstname"];
$minute->personnes->lastname = $_POST["lastname"];
$fields = array("firstname","lastname");

$query =$GLOBALS['phpag']->db->record('personnes',$fields,$minute->personnes);

if (!$GLOBALS['phpag']->db->query($query))
{
     echo $GLOBALS['phpag']->db->error;
}



class db

{
function query($query, $offset=0, $num_rows=-1)
{
   if (!$this->link_ID)
   {

$this->error .= '<div style="color:#FF0000">Can't connect todatabase.</div>';

           return FALSE;
   }
     $this->record = array();
   $this->count = 0;

   if (!$num_rows && $this->debug)

{print 'number of lines limit ='.$GLOBALS['phpag_info']['preferences']['phpag']['lines'];

       $num_rows = $GLOBALS['phpag_info']['preferences']['phpag']['lines'];
   }
   if ($num_rows > 0)

{$query .= ' LIMIT '.$num_rows.' OFFSET '.$offset;

       if ($this->debug) {
             print '<div>Query: '.$query.'</div>';
         }

       $this->query_ID = pg_query($this->link_ID, $query);
   } else
   {
       if ($this->debug) {
             print '<div>Query: '.$query.'</div>';
         }

       $this->query_ID = pg_query($this->link_ID, $query);
   }

if (!$this->query_ID)

     {
       $this->err = pg_last_error($this->link_ID);

$this->error .= '<div style="color:#FF0000">Error in query sentto database<br><br>'.$this->err."<br><br>\n";$this->error .= "<u>Invalid SQL query:</u>:<blockquote>$query</blockquote></div><br>";

       return FALSE;
     }
     else
     {
       for ($i = 0; $i < pg_numrows($this->query_ID); $i++)
       {
           $this->record[$i] = pg_fetch_array($this->query_ID,$i);

if ($this->debug)

           {
               echo 'Record #'.$i.' ';
               print_r($this->record[$i]);
               print "<br>";
           }
       }
       //Calculate how many records
       $this->count = ($this->record ? count($this->record): 0);
     }

     return $this->query_ID;
}

// Escape string if necessary
function slash ($text)
{
   $text = pg_escape_string($text);
     return $text;
}


       function record($table,$fields,$values)
       {
             if (class_exists(get_class($values)))
                 $values=get_object_vars($values);
                       $query = 'INSERT INTO '.$table.'(';

if (empty($champs)) {

                            $arg['type'] = 'php';

$arg['message'] = '<divstyle="color:#FF0000">SQL Error: You try to insert values in tablewithout declare column name!</div>';

                          Error::thrown($arg,FALSE,TRUE);
                       }
                       foreach ($fields as $num =>$col) {
                         $query .= ($num ? ',': '').$col;
             }

$query .= ') VALUES (';if (empty($values)) {

                       $arg['type'] = 'php';

$arg['message'] = '<divstyle="color:#FF0000">SQL Error: You try to insert data in tablewithout giving values!</div>';

                       Error::thrown($arg,FALSE,TRUE);
             }

               $valueClause = '';
               $id = 0;
               foreach ($values as $num => $col) {
                 preg_match('/^id/',$num,$match);
                 if (!empty($match[0])) $id += 1;

if (empty($match[0])) { // Remove column beginningwith 'id...'$valueClause .= ($valueClause ? ',' :'').'\''.$this->slash($col).'\'';

                 }
             }

if (count($fields) != (count($fields) - $id)) {

                       $arg['type'] = 'php';

$arg['message'] = '<divstyle="color:#FF0000">SQL Error: The number of columns mismatches withthe number of values!</div>';

                       Error::thrown($arg,FALSE,TRUE);

}$query .= $valueClause.');';return $query;

       }

}


Anybody have an idea?

Follow-Ups:
- Re: Use of pg_escape_string()
  - From: Raymond O'Donnell

Next by Date: Re: Use of pg_escape_string()
Next by thread: Re: Use of pg_escape_string()
Indexes:
- Main
- Thread

Home | Main Index | Thread Index

Search

Peripheral Links

Header And Logo

Site Navigation

Section Navigation

Use of pg_escape_string()

Search archives
	Advanced Search