[nycphp-talk] escaping % and _ in a MySQL query
Adam Maccabee Trachtenberg
adam at trachtenberg.com
Sun Oct 31 01:51:22 EST 2004
I prefer str_replace() to preg_replace(), but this is essentially what
I do. Use the feature which allows you to pass multiple search/replace
pairs as arrays to reduce this to one call.
Somehow this seems missing from PHP Cookbook. I will add it list of
things for the 2nd Edition.
-adam
On Sun, 31 Oct 2004, Matthew Juszczak wrote:
> David,
>
> Why not just the latter (the mysql_escape_string()) ... if that doesn't take care of %'s and _'s (not sure off the top of my head), then what you've got seems to take care of everything...
>
> Unless I am completely missing something?
>
> -Matt
>
> >
>
> > Suppose you have a form with a textfield for people to enter a string to
> > search for in your database, and you don't want people using % or _ unless
> > they mean it literally. This is kind of ugly:
> >
> > $input = preg_replace('/(%|_)/',"\\\\$1",$input);
> > $input = mysql_escape_string($input);
> >
> >
> > Is this more or less what you should do, or is there a classier solution
> > that I'm overlooking?
> >
> > ---
> > David Mintz
> > http://davidmintz.org/
> >
> >
> > $world =~ s|<bush[^>]*>.+</bush>||is;
> > Oh yeah, I could also use help writing a regex to match strings like
> > "<bush />" but I'm hoping it will be moot by Tuesday.
> > _______________________________________________
> > New York PHP Talk
> > Supporting AMP Technology (Apache/MySQL/PHP)
> > http://lists.nyphp.org/mailman/listinfo/talk
> > http://www.newyorkphp.org
> >
> >
> >
> > !DSPAM:41845d6a574919662551320!
> >
> >
>
> _______________________________________________
> New York PHP Talk
> Supporting AMP Technology (Apache/MySQL/PHP)
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.newyorkphp.org
>
--
adam at trachtenberg.com
author of o'reilly's "upgrading to php 5" and "php cookbook"
avoid the holiday rush, buy your copies today!
More information about the talk
mailing list