...

...

@@ -10,23 +10,19 @@

10

10

<refsect1 role="description">

11

11

&reftitle.description;

12

12

<para>&style.oop;</para>

13

-

<methodsynopsis role="oop">

14

-

<type>string</type><methodname>mysqli::escape_string</methodname>

15

-

<methodparam><type>string</type><parameter>escapestr</parameter></methodparam>

16

-

</methodsynopsis>

17

-

<methodsynopsis>

18

-

<type>string</type><methodname>mysqli::real_escape_string</methodname>

19

-

<methodparam><type>string</type><parameter>escapestr</parameter></methodparam>

13

+

<methodsynopsis role="mysqli">

14

+

<modifier>public</modifier> <type>string</type><methodname>mysqli::real_escape_string</methodname>

15

+

<methodparam><type>string</type><parameter>string</parameter></methodparam>

20

16

</methodsynopsis>

21

17

<para>&style.procedural;</para>

22

18

<methodsynopsis>

23

19

<type>string</type><methodname>mysqli_real_escape_string</methodname>

24

-

<methodparam><type>mysqli</type><parameter>link</parameter></methodparam>

25

-

<methodparam><type>string</type><parameter>escapestr</parameter></methodparam>

20

+

<methodparam><type>mysqli</type><parameter>mysql</parameter></methodparam>

21

+

<methodparam><type>string</type><parameter>string</parameter></methodparam>

26

22

</methodsynopsis>

27

23

<para>

28

24

This function is used to create a legal SQL string that you can use in an

29

-

SQL statement. The given string is encoded to an escaped SQL string,

25

+

SQL statement. The given string is encoded to produce an escaped SQL string,

30

26

taking into account the current character set of the connection.

31

27

</para>

32

28

<caution>

...

...

@@ -47,14 +43,16 @@

47

43

<variablelist>

48

44

&mysqli.link.description;

49

45

<varlistentry>

50

-

<term><parameter>escapestr</parameter></term>

46

+

<term><parameter>string</parameter></term>

51

47

<listitem>

52

48

<para>

53

49

The string to be escaped.

54

50

</para>

55

51

<para>

56

-

Characters encoded are <literal>NUL (ASCII 0), \n, \r, \, ', ", and

57

-

Control-Z</literal>.

52

+

Characters encoded are <literal>NUL (ASCII 0)</literal>,

53

+

<literal>\n</literal>, <literal>\r</literal>, <literal>\</literal>,

54

+

<literal>'</literal>, <literal>"</literal>, and

55

+

<keycombo action='simul'><keycap>CTRL</keycap><keycap>Z</keycap></keycombo>.

58

56

</para>

59

57

</listitem>

60

58

</varlistentry>

...

...

@@ -77,102 +75,65 @@

77

75

<programlisting role="php">

78

76

<![CDATA[

79

77

<?php

80

-

$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

81

-

82

-

/* check connection */

83

-

if (mysqli_connect_errno()) {

84

-

printf("Connect failed: %s\n", mysqli_connect_error());

85

-

exit();

86

-

}

87

-

88

-

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

89

78

90

-

$city = "'s Hertogenbosch";

91

-

92

-

/* this query will fail, cause we didn't escape $city */

93

-

if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {

94

-

printf("Error: %s\n", $mysqli->sqlstate);

95

-

}

79

+

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

80

+

$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

96

81

97

-

$city = $mysqli->real_escape_string($city);

82

+

$city = "'s-Hertogenbosch";

98

83

99

84

/* this query with escaped $city will work */

100

-

if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {

101

-

printf("%d Row inserted.\n", $mysqli->affected_rows);

102

-

}

103

-

104

-

$mysqli->close();

105

-

?>

85

+

$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",

86

+

$mysqli->real_escape_string($city));

87

+

$result = $mysqli->query($query);

88

+

printf("Select returned %d rows.\n", $result->num_rows);

89

+

90

+

/* this query will fail, because we didn't escape $city */

91

+

$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);

92

+

$result = $mysqli->query($query);

106

93

]]>

107

94

</programlisting>

108

95

<para>&style.procedural;</para>

109

96

<programlisting role="php">

110

97

<![CDATA[

111

98

<?php

112

-

$link = mysqli_connect("localhost", "my_user", "my_password", "world");

113

-

114

-

/* check connection */

115

-

if (mysqli_connect_errno()) {

116

-

printf("Connect failed: %s\n", mysqli_connect_error());

117

-

exit();

118

-

}

119

99

120

-

mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");

100

+

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

101

+

$mysqli = mysqli_connect("localhost", "my_user", "my_password", "world");

121

102

122

-

$city = "'s Hertogenbosch";

123

-

124

-

/* this query will fail, cause we didn't escape $city */

125

-

if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {

126

-

printf("Error: %s\n", mysqli_sqlstate($link));

127

-

}

128

-

129

-

$city = mysqli_real_escape_string($link, $city);

103

+

$city = "'s-Hertogenbosch";

130

104

131

105

/* this query with escaped $city will work */

132

-

if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {

133

-

printf("%d Row inserted.\n", mysqli_affected_rows($link));

134

-

}

135

-

136

-

mysqli_close($link);

137

-

?>

106

+

$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",

107

+

mysqli_real_escape_string($mysqli, $city));

108

+

$result = mysqli_query($mysqli, $query);

109

+

printf("Select returned %d rows.\n", mysqli_num_rows($result));

110

+

111

+

/* this query will fail, because we didn't escape $city */

112

+

$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);

113

+

$result = mysqli_query($mysqli, $query);

138

114

]]>

139

115

</programlisting>

140

-

&examples.outputs;

116

+

&examples.outputs.similar;

141

117

<screen>

142

118

<![CDATA[

143

-

Error: 42000

144

-

1 Row inserted.

119

+

Select returned 1 rows.

120

+

121

+

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's-Hertogenbosch'' at line 1 in...

145

122

]]>

146

123

</screen>

147

124

</example>

148

125

</refsect1>

149

126

150

-

<refsect1 role="notes">

151

-

&reftitle.notes;

152

-

<note>

153

-

<para>

154

-

For those accustomed to using <function>mysql_real_escape_string</function>,

155

-

note that the arguments of <function>mysqli_real_escape_string</function>

156

-

differ from what <function>mysql_real_escape_string</function> expects.

157

-

The <parameter>link</parameter> identifier comes first in

158

-

<function>mysqli_real_escape_string</function>, whereas the string to be escaped

159

-

comes first in <function>mysql_real_escape_string</function>.

160

-

</para>

161

-

</note>

162

-

</refsect1>

163

-

164

127

<refsect1 role="seealso">

165

128

&reftitle.seealso;

166

129

<para>

167

130

<simplelist>

168

131

<member><function>mysqli_set_charset</function></member>

169

-

<member><function>mysqli_character_set_name</function></member>

170

132

</simplelist>

171

133

</para>

172

134

</refsect1>

173

135

174

136

</refentry>

175

-

176

137

<!-- Keep this comment at the end of the file

177

138

Local variables:

178

139

mode: sgml

179

140