Modules/MySQL/MysqlSafeString: Difference between revisions

Revision as of 22:01, 29 January 2007

	This function is provided by the external module MySQL. You must install this module to use this function.

This function escapes a given string so it's safe to pass as a query to mysqlQuery. Please use this as sanity checking function to prevent bad things like SQL injection.

The function needs an already established connection to a MySQL database, because it reads out the character set from that database to escape the string.

Syntax

string mysqlSafeString ( mysql db, string query )

Required Arguments

db : A mysql object created by mysqlCreate
query : The MySQL query that needs to be escasped

Optional Arguments

None

Example

function onMySQLOpen ( result )
	if ( result ) then
		outputServerLog ( "MySQL connection established." )
		-- do the safe query
		local safe = mysqlSafeString ( db, some_string_passed_by_a_user )
		mysqlQuery ( db, "onMySQLResult", "SELECT ".. safe .." FROM test" )
	else
		outputServerLog ( "MySQL connection failed." )
	end
end

function mysqltest ()
	db = mysqlCreate ()
	mysqlOpen ( db, "onMySQLOpen", "localhost", "bastage", "bastage_pw", "test", 3306 )
end

@@ Line 2: / Line 2: @@
 {{ModuleFunction|MySQL}}
-This function escapes a given string so it's safe to pass as a query to [[mysqlQuery]]. Please use this as sanity checking function to prevent bad things like SQL injection.
+This function escapes a given string so it's safe to pass as a query to [[Modules/MySQL/MysqlQuery|mysqlQuery]]. Please use this as sanity checking function to prevent bad things like SQL injection.
 The function needs an already established connection to a MySQL database, because it reads out the character set from that database to escape the string.
@@ Line 10: / Line 10: @@
 ===Required Arguments===
-*'''db''' : A ''mysql'' object created by [[mysqlCreate]]
+*'''db''' : A ''mysql'' object created by [[Modules/MySQL/MysqlCreate|mysqlCreate]]
 *'''query''' : The MySQL query that needs to be escasped