Hello,
should I use mysql_real_escape_string or do the DB class this automatically?
Gruß jan
El 5/11/09 9:50 PM, Jan Luca escribió:
should I use mysql_real_escape_string or do the DB class this automatically?
Generally you should be using the database wrapper functions, which in most cases will do escaping when generating queries. See docs:
http://www.mediawiki.org/wiki/Manual:Database_access
When you do manually generate some SQL you might need to quote manually, in which case you should use the addQuotes() or strencode() methods on your database access rather than using MySQL functions directly, since we support PostgreSQL and (in theory) other DB backends as well.
-- brion
I mean when I use the DB class(Database::select an Database:insert).
-----Ursprüngliche Nachricht----- Von: wikitech-l-bounces@lists.wikimedia.org [mailto:wikitech-l-bounces@lists.wikimedia.org] Im Auftrag von Brion Vibber Gesendet: Montag, 11. Mai 2009 19:06 An: Wikimedia developers Betreff: Re: [Wikitech-l] Is mysql_real_escape_string needed?
El 5/11/09 9:50 PM, Jan Luca escribió:
should I use mysql_real_escape_string or do the DB class this
automatically?
Generally you should be using the database wrapper functions, which in most cases will do escaping when generating queries. See docs:
http://www.mediawiki.org/wiki/Manual:Database_access
When you do manually generate some SQL you might need to quote manually, in which case you should use the addQuotes() or strencode() methods on your database access rather than using MySQL functions directly, since we support PostgreSQL and (in theory) other DB backends as well.
-- brion
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Yes, you need to escape all input before doing select or insert. However, the database has helper functions to help you do it, you don't need to be calling mysql_real_escape_string() directly. -Chad
On Mon, May 11, 2009 at 1:37 PM, Jan Luca jan@jans-seite.de wrote:
I mean when I use the DB class(Database::select an Database:insert).
-----Ursprüngliche Nachricht----- Von: wikitech-l-bounces@lists.wikimedia.org [mailto:wikitech-l-bounces@lists.wikimedia.org] Im Auftrag von Brion Vibber Gesendet: Montag, 11. Mai 2009 19:06 An: Wikimedia developers Betreff: Re: [Wikitech-l] Is mysql_real_escape_string needed?
El 5/11/09 9:50 PM, Jan Luca escribió:
should I use mysql_real_escape_string or do the DB class this
automatically?
Generally you should be using the database wrapper functions, which in most cases will do escaping when generating queries. See docs:
http://www.mediawiki.org/wiki/Manual:Database_access
When you do manually generate some SQL you might need to quote manually, in which case you should use the addQuotes() or strencode() methods on your database access rather than using MySQL functions directly, since we support PostgreSQL and (in theory) other DB backends as well.
-- brion
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Thank you!
-----Ursprüngliche Nachricht----- Von: wikitech-l-bounces@lists.wikimedia.org [mailto:wikitech-l-bounces@lists.wikimedia.org] Im Auftrag von Chad Gesendet: Montag, 11. Mai 2009 19:40 An: Wikimedia developers Betreff: Re: [Wikitech-l] Is mysql_real_escape_string needed?
Yes, you need to escape all input before doing select or insert. However, the database has helper functions to help you do it, you don't need to be calling mysql_real_escape_string() directly. -Chad
On Mon, May 11, 2009 at 1:37 PM, Jan Luca jan@jans-seite.de wrote:
I mean when I use the DB class(Database::select an Database:insert).
-----Ursprüngliche Nachricht----- Von: wikitech-l-bounces@lists.wikimedia.org [mailto:wikitech-l-bounces@lists.wikimedia.org] Im Auftrag von Brion Vibber Gesendet: Montag, 11. Mai 2009 19:06 An: Wikimedia developers Betreff: Re: [Wikitech-l] Is mysql_real_escape_string needed?
El 5/11/09 9:50 PM, Jan Luca escribió:
should I use mysql_real_escape_string or do the DB class this
automatically?
Generally you should be using the database wrapper functions, which in most cases will do escaping when generating queries. See docs:
http://www.mediawiki.org/wiki/Manual:Database_access
When you do manually generate some SQL you might need to quote manually, in which case you should use the addQuotes() or strencode() methods on your database access rather than using MySQL functions directly, since we support PostgreSQL and (in theory) other DB backends as well.
-- brion
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Hello,
I have just seen: If $mode = LIST_COMMA is in Database::makeList() used(by Database::insert is $mode = LIST_COMMA used), then call the function $this->addQuotes( $value ), so that you don't need to escape manually your input.
Line: 1436 in function makeList( $a, $mode = LIST_COMMA ), line 1390-1440 in includes/db/Database.php
Gruß jan
-----Ursprüngliche Nachricht----- Von: wikitech-l-bounces@lists.wikimedia.org [mailto:wikitech-l-bounces@lists.wikimedia.org] Im Auftrag von Chad Gesendet: Montag, 11. Mai 2009 19:40 An: Wikimedia developers Betreff: Re: [Wikitech-l] Is mysql_real_escape_string needed?
Yes, you need to escape all input before doing select or insert. However, the database has helper functions to help you do it, you don't need to be calling mysql_real_escape_string() directly. -Chad
On Mon, May 11, 2009 at 1:37 PM, Jan Luca jan@jans-seite.de wrote:
I mean when I use the DB class(Database::select an Database:insert).
-----Ursprüngliche Nachricht----- Von: wikitech-l-bounces@lists.wikimedia.org [mailto:wikitech-l-bounces@lists.wikimedia.org] Im Auftrag von Brion Vibber Gesendet: Montag, 11. Mai 2009 19:06 An: Wikimedia developers Betreff: Re: [Wikitech-l] Is mysql_real_escape_string needed?
El 5/11/09 9:50 PM, Jan Luca escribió:
should I use mysql_real_escape_string or do the DB class this
automatically?
Generally you should be using the database wrapper functions, which in most cases will do escaping when generating queries. See docs:
http://www.mediawiki.org/wiki/Manual:Database_access
When you do manually generate some SQL you might need to quote manually, in which case you should use the addQuotes() or strencode() methods on your database access rather than using MySQL functions directly, since we support PostgreSQL and (in theory) other DB backends as well.
-- brion
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Mon, May 11, 2009 at 12:50 PM, Jan Luca jan@jans-seite.de wrote:
Hello,
should I use mysql_real_escape_string or do the DB class this automatically?
Gruß jan
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
It doesn't do it automatically, but we've abstracted it into the addQuotes() method that can do it for you (ie: don't call mysql_real_escape_string() yourself). This way it can be properly abstracted for systems other than mySQL.
Also, when using a LIKE, we've also got escapeLike() for sanitizing user input for %'s
-Chad
On Mon, May 11, 2009 at 1:08 PM, Chad innocentkiller@gmail.com wrote:
Also, when using a LIKE, we've also got escapeLike() for sanitizing user input for %'s
And _'s. Those are easy to forget, but they need to be escaped too.
On Mon, May 11, 2009 at 1:40 PM, Chad innocentkiller@gmail.com wrote:
Yes, you need to escape all input before doing select or insert.
Not ideally. If you do something like
$dbr->select( 'page', 'page_id', array( 'page_namespace' => 0, 'page_title' => $unsanitized_user_input ) );
the values (second half) of the WHERE part will be automatically escaped. Manually escaping it will lead to double escaping. In fact, if you want a condition like 'page_id = rev_page', you need to do something like array( 'page_id = rev_page' ). Trying array( 'page_id' => 'rev_page' ) will give you "WHERE page_id = 'rev_page'".
So as Jan says, you only need to manually escape if you have to do a condition that requires you to use a raw string, like if you need to use functions or comparison operators other than equality (!=, <, >, LIKE, ...).
wikitech-l@lists.wikimedia.org