[PHPLIB-DEV] Quote in DB_Sql From: Alexander Aulbach (ssilk <email protected>)
Date: 02/14/00

I'm planning to implement a quote-function to the DB_Sql-Classes. I found
out, that using the magic_quotes_gpc-switch in PHP is very ugly and
dangerous for programming professional web applications. (I can explain
it, if you want, but not now. But I'm not very lucky about the
explanations about this switch in the PHP-Lib manual and to switch it on,
more correct is to switch it of!)

AddSlashes() is doing it's job most of the time, but for Oracle for
example a string "'" must be escaped to "''" but this provides, that you
are able to change magic_quotes_sybase and it must be set. Why by the
Hell is this called magic_quotes_*SYBASE*, when I need it to be set for
Oracle? And what happens, if I need to use mysql AND oracle in one
application?

Why does the programming language know about how to escape
a string for another programm? This is from the informatic sight of the
problem rarely to understand. And it is deep trap for the programmer.

Perl-DBI for example supports such a function and returns a string
correctly quoted and escaped. For mysql this is very easy: Need just to
call mysql_escape_chars() from inside the API. But PHP dosn't support
this. :-(

So for implementing it, I need a list of escape-Chars:

mysql for example looks like this:

Quoting char: '

Escape chars "must be":
\0 Ascii 0
\' single quote
\\ backslash
\" double quote

Escape chars "could be":
\n newline (Ascii 10)
\t tab (ascii 9)
\r CR (Ascii 13)

Escape-Chars for Wildcards:
\% % Percent - any chars
\_ _ Underscore - one char

NULL-Value:
For Strings NULL
For Number NULL

''-Strings yes ('' for a string is '' not NULL)
NULL is Space no (NULL is replaced with ' ' - for SAP, MSSQL and others)

So, would you please so kind to give me such lists for msql (perhaps
identical?), sybase, odbc and postgress?

The call to this function should look like this:

        function quote ($value,$phptype='',$special='')

will return $value correctly escaped and quotet. If $phptype is a
number-type (integer, real) it will not escape and take integer or real
from it. It also tries to handle NULL-values and functions, e.g. $special
is set to "n", the function returns for "NULL" "NULL" not "'NULL'".

For wildcards, that should be escaped

        function quote_wildcard ($value)

replaces wildcard-chars and calls quote().

Query-Class will also support this functions:

        function auto_quote ($value,$table,$colname,$special='')

will check out, what PHP-type the column in this table has and calls quote
with the correct type.

Comments? 

-- 

SSilk - Alexander Aulbach - Herbipolis/Frankonia Minoris - (0931)22032

-
PHPLIB Developers Mailing List. Send messages to <phplib-dev <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-dev-request <email protected>> in
the body, not the subject, of your message.