Diese Seite bei php.net
The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License © the PHP Documentation Group - Impressum - mail("TO:Reinhard Neidl",...)
(PHP 4 >= 4.2.0, PHP 5)
pg_escape_string — Maskiert einen String zum Einfgen in Felder mit text/char Datentypen
pg_escape_string() maskiert einen String zum Einfügen in Felder mit text/char Datentypen. Der Rückgabewert ist der maskierte String im PostgreSQL-Format. Diese Funktion sollte anstelle von addslashes() verwendet werden. Falls der Datentyp der Spalte bytea ist, mssen Sie stattdessen pg_escape_bytea() verwenden.
Hinweis:
Diese Funktion setzt PostgreSQL 7.2 oder höher voraus.
PostgreSQL Verbindungskennung. Wenn der Parameter connection nicht angegeben ist, wird die Standardverbindung benutzt. Das ist die Verbindung, die zuletzt von pg_connect() oder pg_pconnect() geöffnet wurde.
Ein string mit den Daten, die maskiert werden müssen.
Ein string mit den maskierten Daten.
| Version | Beschreibung |
|---|---|
| 5.2.0 | Der Parameter connection wurde hinzugefügt. |
Beispiel #1 pg_escape_string() Beispiel
<?php
// Datenbankverbindung öffnen
$dbconn = pg_connect('dbname=foo');
// Eine Textdatei (mit Hochkommas und Backslashes) auslesen
$data = file_get_contents('letter.txt');
// Die Textdaten maskieren
$escaped = pg_escape_string($data);
// und in die Datenbank einfügen
pg_query("INSERT INTO correspondence (name, data) VALUES ('My letter', '{$escaped}')");
?>
Forthose curious, the exact escaping performed on the string may vary slightly depending on your database configuration.
For example, if your database's standard_conforming_strings variable is OFF, backslashes are treated as a special character and pg_escape_string() will ensure they are properly escaped. If this variable is ON, backslashes will be treated as ordinary characters, and pg_escape_string() will leave them as-is. In either case, the behavior matches the configuration of the database connection.
If your database is a UTF-8 database, you will run into problems trying to add some data into your database...
for securty issues and/or compatability you may need to use the: utf_encode() (http://php.net/utf8-encode) function.
for example:
<?php
$my_data = pg_escape_string(utf8_encode($_POST['my_data']));
?>
Security methods which you use depend on the specific purpose. For those who dont know, take a look at the following built-in PHP functions:
strip_tags() to remove HTML characters
(also see htmlspecialchars)
escapeshellarg() to escape shell commands etc
escapeshellcmd()
mysql_real_escape_string() to escape mySQL commands.
Enjoy!
web dot expert dot panel at gmail dot com
For those who escape their single quotes with a backslash (ie \') instead of two single quotes in a row (ie '') there has recently been a SERIOUS sql injection vulnerability that can be employed taking advantage of your chosen escaping method. More info here: http://www.postgresql.org/docs/techdocs.50
Even after the postgre update, you may still be limited to what you can do with your queries if you still insist on backslash escaping. It's a lesson to always use the PHP functions to do proper escaping instead of adhoc addslashes or magic quotes escaping.
Since php 5.1 the new function pg_query_params() was introduced. With this function you can use bind variables and don't have to escape strings. If you can use it, do so. If unsure why, check the changelog for Postgres 8.0.8.
Creating a double-tick is just fine. It works the same as the backslash-tick syntax. From the PostgreSQL docs:
The fact that string constants are bound by single quotes presents an obvious semantic problem, however, in that if the sequence itself contains a single quote, the literal bounds of the constant are made ambiguous. To escape (make literal) a single quote within the string, you may type two adjacent single quotes. The parser will interpret the two adjacent single quotes within the string constant as a single, literal single quote. PostgreSQL will also allow single quotes to be embedded by using a C-style backslash.
Here's some code I knocked up to turn an array of values into a string representation of an array. Note that I also add the external single quotes to make it a full string literal.
//$t is array to be escaped. $u will be string literal.
$tv=array();
foreach($t as $key=>$val){
$tv[$key]="\"" .
str_replace("\"",'\\"', str_replace('\\','\\\\',$val)) . "\"
";
}
$u= implode(",",$tv) ;
$u="'{" . pg_escape_string($u) . "}'";
There's probably a better way of doing this. That's why I'm posting this here :)
IMO the stripslashes in this case is not very usefull. Because pg_escape_string change ' into '' (double ' - not "). I use in add to database this:
pg_escape_string(stripslashes($_GET['var'])) and is in 100% safe (i hope).
If I use addslashes in this case that well be lost space in database (\''' - this is 3 bytes)
ps. sorry for my english:)
Here with 'abc'efg' the middle ' terminates the string, however 'abc\'def' is one big string with a ' character in the middle.
If the user can terminate the string he can then put in the bad sql. When prompted for Barcode the user could put in DROP TABLE foo; SELECT '1
$query = sprintf ("SELECT * FROM a.tblcards WHERE barcode='%s'", pg_escape_string($barcode));
So you have to "clean" your variable coming in to prevent that.
Diese Seite bei php.net