downloads | documentation | faq | getting help | mailing lists | licenses | wiki | reporting bugs | php.net sites | links | conferences | my php.net

search for in the

SQLite3::exec> <SQLite3::createFunction
[edit] Last updated: Fri, 25 May 2012

view this page in

SQLite3::escapeString

(PHP 5 >= 5.3.0)

SQLite3::escapeString適切にエスケープされた文字列を返す

説明

public string SQLite3::escapeString ( string $value )

SQL 文の中で使えるよう適切にエスケープされた文字列を返します。

パラメータ

value

エスケープしたい文字列。

返り値

SQL 文の中で安全に使えるよう適切にエスケープされた文字列を返します。

注意

警告

SQLite クエリの文字列をクォートする際に addslashes() を使っては いけません。 予期せぬ結果を引き起こしてしまいます。



SQLite3::exec> <SQLite3::createFunction
[edit] Last updated: Fri, 25 May 2012
 
add a note add a note User Contributed Notes SQLite3::escapeString
rebles at myupb dot com 16-Jan-2011 03:24
SQLite3::escapeString() should be used on every piece of user input before constructing the query string, or *after* constructing the query string?

Calling this function on user input BEFORE constructing the query string can lead to interesting results.  For instance, it truncates e-mail addresses in an un-usable manor.
alec at alecnewman dot com 09-Aug-2010 08:14
The reason this function doesn't escape double quotes is because double quotes are used with names (the equivalent of backticks in MySQL), as in table or column names, while single quotes are used for values.

This is important to remember, especially coming from another SQL implementation.  It can cause strange problems, for example, the query:

SELECT * FROM table WHERE column1="column1"

Would actually return every record, because column1 is always equal to column1.  This should instead be:

SELECT * FROM table WHERE column1='column1'

Double quotes are not escaped by the function because they are not interpreted specially within single quoted strings.
koalay at gmail dot com 24-May-2010 02:28
I seems that the function only escapes single quote ' and left double quote " untouched.

<?php

$database_filename = "database.db";
$dbhandle = new SQLite3($database_filename, $mode=0666, $sqliteerror);
$escape_result = $dbhandle->escapeString("testing's is \"fun\".");
print "$escape_result\n";

?>

The result would be:

  testing''s is "fun".

So, please use single quote to quote text in sqlite query.

<?php

// this should be OK
$sql = sprintf("INSERT INTO table1 (somestr1, somestr2) VALUES ('%s', '%s')",
  $dbhandle->($somestr1), $dbhandle->($somestr1));
$dbhandle->query($sql);

// this would be vulnerable to injection
$sql = sprintf('INSERT INTO table1 (somestr1, somestr2) VALUES ("%s", "%s")',
  $dbhandle->($somestr1), $dbhandle->($somestr1));
$dbhandle->query($sql);

?>
add a note add a note

 
show source | credits | stats | sitemap | contact | advertising | mirror sites