Question: reccommend me please universal approach of special chars escaping that will works with any database
$sql="INSERT INTO table (field, field2) VALUES ('$value', '$value1')";
$value and $value1 is GET or POST, any. I have to escape special chars for safe.
For mySQL it looks $value=addslashes($value);
But when I tried it for Oracle my text was writed in database with backslashes.
If I want to create databaseindependent software I have to write
if ($metabase->database_type=='mysql') $value=addslashes($value);
if ($metabase->database_type=='oci') $value= str_replace("'", "''", $value);
It approach is bad becouse I have to list each database type. And str_replace('"', '""', $value) is strongly depended for query quotes: if I'll write
$sql='INSERT INTO table (field, field2) VALUES ("$value", "$value1")';
It would be error.
How may I write database independent code? My Oracle knowledges is weak, may be I don't know how escaping works with Oracle?
Manuel Lemos - 2006-02-09 19:07:52 - In reply to message 1 from Kaurov Eugene
You can use the Get*FieldValue functions to ask Metabase API convert database independent values to the respective representation in the target database format. That will provide the necessary escaping and format conversion when needed.
Alternatively you can also use prepared statements. These allow you to define placeholders in a SQL query marked as ? . Those placeholders are replaced by parameter values that you define when the query are executed.
Take a look at the tutorial document as it explains how both solutions work. Just let me know if you still have doubts.