0

I get this error when I run mysql_real_escape_string($value).

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can't connect to MySQL server on 'localhost' (10061) in ...

I wrapped up the functionality in a nice class like this

class escaper
{
    function __get($value)
    {
    //in order for this to work properly, I must have a live connection to mysql
        return mysql_real_escape_string($value);
    }
}

/*

//sample usage
$safe = new escaper;
$name = "O'Reilly";
echo $safe->$name

In case someone goes down that road again, let me say it upfront that Yes! I should use PDO and parametrized queries and that the above method is not that safe.

Average Joe
  • 4,521
  • 9
  • 53
  • 81

1 Answers1

0

how do you programmatically tell whether a mysql connection is present?

we just don't need that.
connection is always present

Escaping being a part of the DB class.
Connect to the database is the very first thing this class doing in the constructor.
And connect resource stored in the class variable.
So, only we need is to use this variable - easy-peasy.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Well, once you got your $dbh ( the database handle ), sure the escaper will work, sure I won't get that message. When the developer uses this function, before creating a connection to mysql, he gets that bloddy error. My goal is to catch it and display it to the developer gracefully, telling him that he needs a $dbh first. I do not recommend the developer to use the escaper before setting a mysql connection. (even if he wanted to do, he cannot anyway cause mysql_real_escape_string functionality will only be available after the connection anyway. All I'm trying is to avoid the run time error. – Average Joe Apr 05 '12 at 03:54
  • Your design is wrong. A developer should never use your escaper aside from the db context. And there should be no distinct escaper class which does not make a sense. I have also a feeling that you do not understand the purpose of escaping, like everyone else does – Your Common Sense Apr 05 '12 at 04:31
  • You're right saying "never use your escaper aside from the db context.". No doubt. Your other observation "you do not understand the purpose of escaping" is an interesting one. Let's see. I escape for one and only one reason, and that is to prevent the SQL syntax from being changed, from its original intended lexicon. One way to do that is to wrap all input ( even numbers ) with single quotes. I treat all input the same to address 2nd degree injection & before I run a *my*SQL, I make sure all $input is escaped with the my_sql_r_e_s.. This is ofcourse only when I don't use prepared statements. – Average Joe Apr 05 '12 at 13:03
  • it will fail on the LIMIT clause parameters but for the rest of the data this approach is okay. I don't though understand why do you add escaping and quotes separately. Why can't your escaper add quotes as well as escaping at the same point? – Your Common Sense Apr 05 '12 at 14:27
  • That's right, it will fail on certain parts of the SQL such as the tablenames, desc vs asc, limit stuff and groupby etc etc... for those nothing but mapped array to be used. even PDO won't do any good on that. Question: why do we tick the table and column names in SQL as best practice? ex: select `mycol1`,`mycol2` from `mytable`. Can the ticks in any shape or form be of any help against sql injection? for example, if I make the ` as part of the escaper so all `s are escaped by \`, would that give us any protection? ex: select `{safe->$col1}` you know what I mean? – Average Joe Apr 06 '12 at 19:36
  • shoot. the tick is interpreted by the markdown here! so let me rewrite the bottom part, replaceing the ticks with ~. – Average Joe Apr 06 '12 at 19:37
  • ex: select ~mycol1~,~mycol2~ from ~mytable~. Can the ticks ( represented as ~ here ) in any shape or form be of any help against sql injection? for example, if I make the ~ as part of the escaper so all ~s are escaped by \~, would that give us any protection? ex: select ~{safe->$col1}~ you know what I mean? – Average Joe Apr 06 '12 at 19:39
  • you can escape a tick with another tick. but I still don't see any sanity in your design – Your Common Sense Apr 07 '12 at 05:06
  • Part of a framework I'm building. When I ask questions from its bits and pieces, it sure does not make sense. U need to see the whole thing to make sense of it. – Average Joe Apr 07 '12 at 08:33
  • Well, a scientist can tell the whole animal by one fossil. – Your Common Sense Apr 07 '12 at 18:12