Login   Register  
PHP Classes
elePHPant
Icontem

multidatabase special chars escaping

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us

      Metabase  >  All threads  >  multidatabase special chars escaping  >  (Un) Subscribe thread alerts  
Subject:multidatabase special chars escaping
Summary:I'm looking for universal escaping way
Messages:2
Author:Kaurov Eugene
Date:2006-02-09 17:30:29
Update:2006-02-09 19:07:52
 

  1. multidatabase special chars escaping   Reply   Report abuse  
Picture of Kaurov Eugene
Kaurov Eugene
2006-02-09 17:30:29
Question: reccommend me please universal approach of special chars escaping that will works with any database

My problem:

Description:
$sql="INSERT INTO table (field, field2) VALUES ('$value', '$value1')";
$metabase->Query($sql);

$value and $value1 is GET or POST, any. I have to escape special chars for safe.

For mySQL it looks $value=addslashes($value);
But when I tried it for Oracle my text was writed in database with backslashes.

If I want to create databaseindependent software I have to write

if ($metabase->database_type=='mysql') $value=addslashes($value);
if ($metabase->database_type=='oci') $value= str_replace("'", "''", $value);

It approach is bad becouse I have to list each database type. And str_replace('"', '""', $value) is strongly depended for query quotes: if I'll write
$sql='INSERT INTO table (field, field2) VALUES ("$value", "$value1")';
It would be error.

How may I write database independent code? My Oracle knowledges is weak, may be I don't know how escaping works with Oracle?

  2. Re: multidatabase special chars escaping   Reply   Report abuse  
Picture of Manuel Lemos
Manuel Lemos
2006-02-09 19:07:52 - In reply to message 1 from Kaurov Eugene
You can use the Get*FieldValue functions to ask Metabase API convert database independent values to the respective representation in the target database format. That will provide the necessary escaping and format conversion when needed.

Alternatively you can also use prepared statements. These allow you to define placeholders in a SQL query marked as ? . Those placeholders are replaced by parameter values that you define when the query are executed.

Take a look at the tutorial document as it explains how both solutions work. Just let me know if you still have doubts.