EllisLab text mark
Advanced Search
     
escape_str in mysql
 
displaynone
Posted: 24 September 2007 11:46 AM   [ Ignore ]
Joined: 2007-09-21
4 posts

I have been looking for a similar bug, but I don’t find it, so I decide to write a new one.
When I try to escape a string using escape_str function, I get incorrect results.
For example:

$query $this->db->query('insert into table values (?, ?)', array('value1''value2 /\/\/\')); 

The query result is:

insert into table values ('value1''value2 /\/\/\'

The error is in the last slash & quote.

The escape_str function is this:

function escape_str($str)    
{    
  // Escape single quotes
  return str_replace("'""''"$str);

Why do you do this way if exists the function mysql_escape_string?

Thanks for your time and sorry for my english
 
displaynone
Posted: 24 September 2007 12:33 PM   [ Ignore ]   [ # 1 ]   [ Rating: 0 ]
Joined: 2007-09-21
4 posts

Sorry!! I was wrong when I talk about the code of escape_str in MySQL, it’s mssql code, but I don’t get a correct string escaped yet.
 
displaynone
Posted: 24 September 2007 01:42 PM   [ Ignore ]   [ # 2 ]   [ Rating: 0 ]
Joined: 2007-09-21
4 posts

In the DB_driver.php, in the function compile_binds, when the char “?” is replaced by the bind, it removes the slashes “\”.

I add this into my CI code:

$sql preg_replace('#'.preg_quote($this->bind_marker'#').'#'str_replace('\\''\\\\',str_replace('$''\$'$val)), $sql1); 

line: 525

Is this ok?