downloads | documentation | faq | getting help | mailing lists | licenses | wiki | reporting bugs | php.net sites | links | conferences | my php.net

search for in the

SQLite3::exec> <SQLite3::createFunction
[edit] Last updated: Fri, 25 May 2012

view this page in

SQLite3::escapeString

(PHP 5 >= 5.3.0)

SQLite3::escapeStringGibt eine passend maskierte Zeichenkette zurück

Beschreibung

public string SQLite3::escapeString ( string $value )

Gibt eine Zeichenkette zurück, die für eine sichere Einbindung in die SQL-Anfrage passend maskiert wurde.

Parameter-Liste

value

Die maskierte Zeichenkette.

Rückgabewerte

Gibt eine passend maskierte Zeichenkette zurück, welche ohne Bedenken in einer SQL-Anfrage benutzt werden kann.

Anmerkungen

Warnung

Die Funktion addslashes() sollte NICHT genutzt werden, um eine Zeichenkette für den Gebrauch in einer SQL-Anfrage zu maskieren; dies kann bei der Datenabfrage zu unvorhersehbaren Resultaten führen.



SQLite3::exec> <SQLite3::createFunction
[edit] Last updated: Fri, 25 May 2012
 
add a note add a note User Contributed Notes SQLite3::escapeString
rebles at myupb dot com 16-Jan-2011 03:24
SQLite3::escapeString() should be used on every piece of user input before constructing the query string, or *after* constructing the query string?

Calling this function on user input BEFORE constructing the query string can lead to interesting results.  For instance, it truncates e-mail addresses in an un-usable manor.
alec at alecnewman dot com 09-Aug-2010 08:14
The reason this function doesn't escape double quotes is because double quotes are used with names (the equivalent of backticks in MySQL), as in table or column names, while single quotes are used for values.

This is important to remember, especially coming from another SQL implementation.  It can cause strange problems, for example, the query:

SELECT * FROM table WHERE column1="column1"

Would actually return every record, because column1 is always equal to column1.  This should instead be:

SELECT * FROM table WHERE column1='column1'

Double quotes are not escaped by the function because they are not interpreted specially within single quoted strings.
koalay at gmail dot com 24-May-2010 02:28
I seems that the function only escapes single quote ' and left double quote " untouched.

<?php

$database_filename = "database.db";
$dbhandle = new SQLite3($database_filename, $mode=0666, $sqliteerror);
$escape_result = $dbhandle->escapeString("testing's is \"fun\".");
print "$escape_result\n";

?>

The result would be:

  testing''s is "fun".

So, please use single quote to quote text in sqlite query.

<?php

// this should be OK
$sql = sprintf("INSERT INTO table1 (somestr1, somestr2) VALUES ('%s', '%s')",
  $dbhandle->($somestr1), $dbhandle->($somestr1));
$dbhandle->query($sql);

// this would be vulnerable to injection
$sql = sprintf('INSERT INTO table1 (somestr1, somestr2) VALUES ("%s", "%s")',
  $dbhandle->($somestr1), $dbhandle->($somestr1));
$dbhandle->query($sql);

?>
add a note add a note

 
show source | credits | stats | sitemap | contact | advertising | mirror sites