Hacker News new | past | comments | ask | show | jobs | submit login

I wished there was a new PHP syntax that would escape strings before substituting them. Like this:

escaped_query="INSERT INTO t (a,b) VALUES ('$!some','$!thing');

The "!" means "escape this variable".

That would be the easiest way to create queries with escaped parameters.




Escape for what? MySQL? MSSQL? PGSQL? All have slightly different things that need to be escaped.


I've experimented with a variation of this.

Something like ...

  foreach($_REQUEST as $k=$v) {
    $REQUEST[$k] = mysql_real_escape_string($v);
  }

  $query = "INSERT INTO table VALUES('$REQUEST[email]', '$REQUEST[name]')";
Problem is, this only works if you don't plan on modifying any of the values before you stick them in the database.

You could also do something like ...

  $query = "INSERT INTO table VALUES('{$e('email')}', '{$e('email')}')";
  $e = 'esc';
  function esc($v) {
    mysql_real_escape_string($v);
  }
But I think that looks pretty ugly.


Hey, the {$e('$value')} idea is interesting.

old way:

  $sql_email=mysql_real_escape_string($email);
  $sql="UPDATE t WHERE id=123 SET email='$sql_email'";
your idea:

  $sql="UPDATE t WHERE id=123 SET email='{$e($email)}'";
Im not yet sure, which one I like more.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: