PHP » PYTHON |
login |
register |
about
|
PYTHON mysql_real_escape_string
is this article helpful?
|
Python replacement for PHP's mysql_real_escape_string
[
edit
| history
]
>>> import MySQLdb
>>> db = MySQLdb.connect(host='localhost',user='root',passwd='') >>> s = "\'sma\\" >>> db.escape_string(s) "\\'sma\\\\" mysql_real_escape_string(PHP 4 >= 4.3.0, PHP 5) mysql_real_escape_string — Escapes special characters in a string for use in a SQL statement Description
string mysql_real_escape_string
( string $unescaped_string
[, resource $link_identifier
] )
Escapes special characters in the unescaped_string , taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used. mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. Parameters
Return ValuesReturns the escaped string, or FALSE on error. Examples
Example #1 Simple mysql_real_escape_string() example
<?php
Example #2 An example SQL Injection Attack
<?php The query sent to MySQL: SELECT * FROM users WHERE user='aidan' AND password='' OR ''='' This would allow anyone to log in without a valid password.
Example #3 A "Best Practice" query Using mysql_real_escape_string() around each variable prevents SQL Injection. This example demonstrates the "best practice" method for querying a database, independent of the Magic Quotes setting.
<?php The query will now execute correctly, and SQL Injection attacks will not work.
Notes
See Also
|
more
Recently updated
more
Most requested
more
Last requests
|