downloads | documentation | faq | getting help | mailing lists | licenses | wiki | reporting bugs | php.net sites | links | conferences | my php.net

search for in the

SQLite3::exec> <SQLite3::createFunction
[edit] Last updated: Fri, 23 Mar 2012

view this page in

SQLite3::escapeString

(PHP 5 >= 5.3.0)

SQLite3::escapeStringGerektiği gibi öncelenmiş bir dizge döndürür

Açıklama

public string SQLite3::escapeString ( string $veri )

Belirtilen veri gerekli öncelemlerle bir SQL deyiminde güvenle kullanılabilir hale getirilip bir dizge olarak döndürülür.

Değiştirgeler

veri

Öncelenecek dizge.

Dönen Değerler

Bir SQL deyiminde güvenle kullanılabilir hale getirilmiş dizgeyi döndürür.

Notlar

Uyarı

SQLite sorgularında kullanacığınız dizgeleri addslashes() kullanarak öncelememelisiniz. Aksi takdirde tuhaf sonuçlar alabilirsiniz.



SQLite3::exec> <SQLite3::createFunction
[edit] Last updated: Fri, 23 Mar 2012
 
add a note add a note User Contributed Notes SQLite3::escapeString
rebles at myupb dot com 16-Jan-2011 03:24
SQLite3::escapeString() should be used on every piece of user input before constructing the query string, or *after* constructing the query string?

Calling this function on user input BEFORE constructing the query string can lead to interesting results.  For instance, it truncates e-mail addresses in an un-usable manor.
alec at alecnewman dot com 09-Aug-2010 08:14
The reason this function doesn't escape double quotes is because double quotes are used with names (the equivalent of backticks in MySQL), as in table or column names, while single quotes are used for values.

This is important to remember, especially coming from another SQL implementation.  It can cause strange problems, for example, the query:

SELECT * FROM table WHERE column1="column1"

Would actually return every record, because column1 is always equal to column1.  This should instead be:

SELECT * FROM table WHERE column1='column1'

Double quotes are not escaped by the function because they are not interpreted specially within single quoted strings.
koalay at gmail dot com 24-May-2010 02:28
I seems that the function only escapes single quote ' and left double quote " untouched.

<?php

$database_filename = "database.db";
$dbhandle = new SQLite3($database_filename, $mode=0666, $sqliteerror);
$escape_result = $dbhandle->escapeString("testing's is \"fun\".");
print "$escape_result\n";

?>

The result would be:

  testing''s is "fun".

So, please use single quote to quote text in sqlite query.

<?php

// this should be OK
$sql = sprintf("INSERT INTO table1 (somestr1, somestr2) VALUES ('%s', '%s')",
  $dbhandle->($somestr1), $dbhandle->($somestr1));
$dbhandle->query($sql);

// this would be vulnerable to injection
$sql = sprintf('INSERT INTO table1 (somestr1, somestr2) VALUES ("%s", "%s")',
  $dbhandle->($somestr1), $dbhandle->($somestr1));
$dbhandle->query($sql);

?>
add a note add a note

 
show source | credits | stats | sitemap | contact | advertising | mirror sites