Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Function Reference : PostgreSQL Functions : pg_escape_string

pg_escape_string

Escape a string for insertion into a text field (PHP 4 >= 4.2.0, PHP 5)
string pg_escape_string ( [resource connection, string data] )

Example 1917. pg_escape_string() example

copy to clipboard
<?php
 // Connect to the database
 $dbconn = pg_connect('dbname=foo');
 
 // Read in a text file (containing apostrophes and backslashes)
 $data = file_get_contents('letter.txt');
 
 // Escape the text data
 $escaped = pg_escape_string($data);
 
 // Insert it into the database
 pg_query("INSERT INTO correspondence (name, data) VALUES ('My letter', '{$escaped}')");
?>

Code Examples / Notes » pg_escape_string

meng
Since php 5.1 the new function pg_query_params() was introduced. With this function you can use bind variables and don't have to escape strings. If you can use it, do so. If unsure why, check the changelog for Postgres 8.0.8.

gautam khanna
Security methods which you use depend on the specific purpose. For those who dont know, take a look at the following built-in PHP functions:
strip_tags()            to remove HTML characters
(also see htmlspecialchars)
escapeshellarg()      to escape shell commands etc
escapeshellcmd()
mysql_real_escape_string()     to escape mySQL commands.
Enjoy!
web dot expert dot panel at gmail dot com

dominik dot mueller
in reply to "rich at dicksonlife dot com"
use serialize() / unserialize() instead!

tsharek
IMO the stripslashes in this case is not very usefull. Because pg_escape_string change ' into '' (double ' - not "). I use in add to database this:
pg_escape_string(stripslashes($_GET['var'])) and is in 100% safe (i hope).
If I use addslashes in this case that well be lost space in database (\''' - this is 3 bytes)
ps. sorry for my english:)

rich
Here's some code I knocked up to turn an array of values into a string representation of an array. Note that I also add the external single quotes to make it a full string literal.
 //$t is array to be escaped. $u will be string literal.
 $tv=array();
 foreach($t as $key=>$val){
   $tv[$key]="\"" .
     str_replace("\"",'\\"', str_replace('\\','\\\\',$val)) . "\"
";
 }
 $u= implode(",",$tv) ;
 $u="'{" . pg_escape_string($u) . "}'";
There's probably a better way of doing this. That's why I'm posting this here :)

16-jul-2003 07:30
Here with 'abc'efg'  the middle ' terminates the string, however 'abc\'def' is one big string with a ' character in the middle.
If the user can terminate the string he can then put in the bad sql.  When prompted for Barcode the user could put in  DROP TABLE foo; SELECT '1
$query = sprintf ("SELECT * FROM a.tblcards WHERE barcode='%s'", pg_escape_string($barcode));
So you have to "clean" your variable coming in to prevent that.

johniskew2
For those who escape their single quotes with a backslash (ie \') instead of two single quotes in a row (ie '') there has recently been a SERIOUS sql injection vulnerability that can be employed taking advantage of your chosen escaping method.  More info here: http://www.postgresql.org/docs/techdocs.50
Even after the postgre update, you may still be limited to what you can do with your queries if you still insist on backslash escaping. It's a lesson to always use the PHP functions to do proper escaping instead of adhoc addslashes or magic quotes escaping.

otix
Creating a double-tick is just fine. It works the same as the backslash-tick syntax. From the PostgreSQL docs:
The fact that string constants are bound by single quotes presents an obvious semantic problem, however, in that if the sequence itself contains a single quote, the literal bounds of the constant are made ambiguous. To escape (make literal) a single quote within the string, you may type two adjacent single quotes. The parser will interpret the two adjacent single quotes within the string constant as a single, literal single quote. PostgreSQL will also allow single quotes to be embedded by using a C-style backslash.

Change Language


Follow Navioo On Twitter
pg_affected_rows
pg_cancel_query
pg_client_encoding
pg_close
pg_connect
pg_connection_busy
pg_connection_reset
pg_connection_status
pg_convert
pg_copy_from
pg_copy_to
pg_dbname
pg_delete
pg_end_copy
pg_escape_bytea
pg_escape_string
pg_execute
pg_fetch_all_columns
pg_fetch_all
pg_fetch_array
pg_fetch_assoc
pg_fetch_object
pg_fetch_result
pg_fetch_row
pg_field_is_null
pg_field_name
pg_field_num
pg_field_prtlen
pg_field_size
pg_field_table
pg_field_type_oid
pg_field_type
pg_free_result
pg_get_notify
pg_get_pid
pg_get_result
pg_host
pg_insert
pg_last_error
pg_last_notice
pg_last_oid
pg_lo_close
pg_lo_create
pg_lo_export
pg_lo_import
pg_lo_open
pg_lo_read_all
pg_lo_read
pg_lo_seek
pg_lo_tell
pg_lo_unlink
pg_lo_write
pg_meta_data
pg_num_fields
pg_num_rows
pg_options
pg_parameter_status
pg_pconnect
pg_ping
pg_port
pg_prepare
pg_put_line
pg_query_params
pg_query
pg_result_error_field
pg_result_error
pg_result_seek
pg_result_status
pg_select
pg_send_execute
pg_send_prepare
pg_send_query_params
pg_send_query
pg_set_client_encoding
pg_set_error_verbosity
pg_trace
pg_transaction_status
pg_tty
pg_unescape_bytea
pg_untrace
pg_update
pg_version
Terms of Service Privacy Policy Sitemap

©2024 -EPSILONSYS SOFTWARE inc

Other EPSILONSYS SOFTWARE Web Sites : Programming Resources | News Headline | Free local classifieds

eXTReMe Tracker