Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456
PHP: pg_escape_string - Manual
[go: Go Back, main page]
PHP
downloads | documentation | faq | getting help | mailing lists | reporting bugs | php.net sites | links | conferences | my php.net

search for in the

pg_execute" width="11" height="7"/> <pg_escape_bytea
Last updated: Fri, 25 Apr 2008

view this page in

pg_escape_string

(PHP 4 >= 4.2.0, PHP 5)

pg_escape_string — テキスト型フィールドに挿入するために、文字列をエスケープする

説明

string pg_escape_string ([ resource $connection ], string $data )

pg_escape_string() は、データベースに挿入するための 文字列をエスケープします。PostgreSQL フォーマットにエスケープされた 文字列を返します。addslashes() の代わりにこの関数を 使用することを推奨します。カラム型が bytea の場合は、代わりに pg_escape_bytea() を使用しなければなりません。

注意: この関数は、PostgreSQL 7.2 以降が必要です。

パラメータ

connection

PostgreSQL データベース接続リソース。 connection が存在しない場合は、 デフォルトの接続を使用します。デフォルトの接続は、 pg_connect() あるいは pg_pconnect() で直近に作成されたものとなります。

data

エスケープするテキスト文字列。

返り値

エスケープされたデータを文字列で返します。

変更履歴

バージョン 説明
5.2.0 connection が追加されました。

例1 pg_escape_string() の例

<?php 
  // データベースに接続する
  $dbconn pg_connect('dbname=foo');
  
  // テキストファイルを読み込む(アポストロフィやスラッシュが含まれている)
  $data file_get_contents('letter.txt');
  
  // テキストデータをエスケープする
  $escaped pg_escape_string($data);
  
  // それをデータベースに挿入する
  pg_query("INSERT INTO correspondence (name, data) VALUES ('My letter', '{$escaped}')");
?>

参考



pg_execute" width="11" height="7"/> <pg_escape_bytea
Last updated: Fri, 25 Apr 2008
 
add a note add a note User Contributed Notes
pg_escape_string
Nathan Bruer
09-Feb-2008 06:23
If your database is a UTF-8 database, you will run into problems trying to add some data into your database...

for securty issues and/or compatability you may need to use the: utf_encode() (http://php.net/utf8-encode) function.

for example:
<?php
$my_data = pg_escape_string(utf8_encode($_POST['my_data']));
?>
Gautam Khanna
29-Aug-2007 11:55
Security methods which you use depend on the specific purpose. For those who dont know, take a look at the following built-in PHP functions:

strip_tags()            to remove HTML characters
(also see htmlspecialchars)

escapeshellarg()      to escape shell commands etc
escapeshellcmd()

mysql_real_escape_string()     to escape mySQL commands.

Enjoy!

web dot expert dot panel at gmail dot com
Gautam Khanna
29-Aug-2007 11:54
Security methods which you use depend on the specific purpose. For those who dont know, take a look at the following built-in PHP functions:

strip_tags()            to remove HTML characters
(also see htmlspecialchars)

escapeshellarg()      to escape shell commands etc
escapeshellcmd()

mysql_real_escape_string()     to escape mySQL commands.

Enjoy!

web dot expert dot panel at gmail dot com
johniskew2 at yahoo dot com
31-May-2006 01:43
For those who escape their single quotes with a backslash (ie \') instead of two single quotes in a row (ie '') there has recently been a SERIOUS sql injection vulnerability that can be employed taking advantage of your chosen escaping method.  More info here: http://www.postgresql.org/docs/techdocs.50
Even after the postgre update, you may still be limited to what you can do with your queries if you still insist on backslash escaping. It's a lesson to always use the PHP functions to do proper escaping instead of adhoc addslashes or magic quotes escaping.
meng
28-May-2006 08:21
Since php 5.1 the new function pg_query_params() was introduced. With this function you can use bind variables and don't have to escape strings. If you can use it, do so. If unsure why, check the changelog for Postgres 8.0.8.
otix
25-Apr-2006 07:43
Creating a double-tick is just fine. It works the same as the backslash-tick syntax. From the PostgreSQL docs:

The fact that string constants are bound by single quotes presents an obvious semantic problem, however, in that if the sequence itself contains a single quote, the literal bounds of the constant are made ambiguous. To escape (make literal) a single quote within the string, you may type two adjacent single quotes. The parser will interpret the two adjacent single quotes within the string constant as a single, literal single quote. PostgreSQL will also allow single quotes to be embedded by using a C-style backslash.
dominik dot mueller at access dot unizh dot ch
16-Jan-2006 02:40
in reply to "rich at dicksonlife dot com"

use serialize() / unserialize() instead!
rich at dicksonlife dot com
19-Jul-2005 09:38
Here's some code I knocked up to turn an array of values into a string representation of an array. Note that I also add the external single quotes to make it a full string literal.

  //$t is array to be escaped. $u will be string literal.
  $tv=array();
  foreach($t as $key=>$val){
    $tv[$key]="\"" .
      str_replace("\"",'\\"', str_replace('\\','\\\\',$val)) . "\"
";
  }
  $u= implode(",",$tv) ;
  $u="'{" . pg_escape_string($u) . "}'";

There's probably a better way of doing this. That's why I'm posting this here :)
tsharek at o2 dot pl
02-Mar-2005 08:34
IMO the stripslashes in this case is not very usefull. Because pg_escape_string change ' into '' (double ' - not "). I use in add to database this:
pg_escape_string(stripslashes($_GET['var'])) and is in 100% safe (i hope).

If I use addslashes in this case that well be lost space in database (\''' - this is 3 bytes)

ps. sorry for my english:)
17-Jul-2003 03:30
Here with 'abc'efg'  the middle ' terminates the string, however 'abc\'def' is one big string with a ' character in the middle.

If the user can terminate the string he can then put in the bad sql.  When prompted for Barcode the user could put in  DROP TABLE foo; SELECT '1

$query = sprintf ("SELECT * FROM a.tblcards WHERE barcode='%s'", pg_escape_string($barcode));

So you have to "clean" your variable coming in to prevent that.
add a note add a note

pg_execute" width="11" height="7"/> <pg_escape_bytea
Last updated: Fri, 25 Apr 2008
 
 
show source | credits | sitemap | contact | advertising | mirror sites