Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Since there is no function to check whether a string is escaped before entering it to the db, how can I do this with regex?
$string = 'some" string';
if(!preg_match('//',$string))
{
$string = mysqli_real_escape_string($string);
}
php manual:
mysqli_real_escape_string backslashes characters encoded NUL (ASCII 0), \n, \r, \, ‘, “, and Control-Z.
Don’t try to do this.
If you try to come up with a way to know for sure whether a string is escaped or not, someone can just come in and make a string that will fool your detection method.
For example, if you used “\” as a test to make sure slashes are escaped, I can just give you a string like
"'; DROP DATABASE dbname(); --\\", which passes your inspection but is still horribly wrong.If you can’t use stored procedures and/or proper parameter handling for whatever reason, the only way to make sure your strings are clean is to clean every string for every untrusted source.