[nycphp-talk] escaping % and _ in a MySQL query
Matthew Juszczak
matt at atopia.net
Sun Oct 31 01:29:15 EDT 2004
David,
Why not just the latter (the mysql_escape_string()) ... if that doesn't take care of %'s and _'s (not sure off the top of my head), then what you've got seems to take care of everything...
Unless I am completely missing something?
-Matt
>
> Suppose you have a form with a textfield for people to enter a string to
> search for in your database, and you don't want people using % or _ unless
> they mean it literally. This is kind of ugly:
>
> $input = preg_replace('/(%|_)/',"\\\\$1",$input);
> $input = mysql_escape_string($input);
>
>
> Is this more or less what you should do, or is there a classier solution
> that I'm overlooking?
>
> ---
> David Mintz
> http://davidmintz.org/
>
>
> $world =~ s|<bush[^>]*>.+</bush>||is;
> Oh yeah, I could also use help writing a regex to match strings like
> "<bush />" but I'm hoping it will be moot by Tuesday.
> _______________________________________________
> New York PHP Talk
> Supporting AMP Technology (Apache/MySQL/PHP)
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.newyorkphp.org
>
>
>
> !DSPAM:41845d6a574919662551320!
>
>
More information about the talk
mailing list