escape

Last edited by JP DeVries on Aug 10, 2013.

Welcome to the MODX Documentation. It is an ongoing effort of the MODX community. If you would like to participate or if you notice any errors or missing content, please let us know.

API:DB:escape

API Quick reference
Variable name: escape
Modx versions: 0.9.x + Evolution
Input parameters: (string $s)
Return if successful: MySQL escaped string $s
Return type: string
Return on failure: string $s
Object parent: DocumentParser -> DBAPI

Description

string escape(string $s);

Escaping potential dangerous characters in a string before using it in a query can help protect your script against SQL injection attacks.

Function escapes strings passed to it in preparation for inclusion in a MySQL query. If available, this function uses mysql_real_escape_string which is binary and character set safe. If mysql_real_escape_string is not available, it will instead use mysql_escape_string to escape the data.

Usage / Examples

function login($username, $password)
{
   global $modx, $table_prefix;
   $username = $modx->db->escape($username);
   $password = $modx->db->escape($password);
 
   $res = $modx->db->select("id", $table_prefix.".modx_web_users", 
      "username='$username' AND password='".md5($password)."'");
   if($modx->db->getRecordCount($res))
   {
      $_SESSION['userid'] = $id;
      //other log in things...
   }
   else
   {
      //incorrect login
   }
}
$string = "This is Joe's Page";
$string = $modx->db->escape($string); 

This will result in the string "This is Joe\'s Page".

select, query, [insert], update

Function Source

File: manager/includes/extenders/dbapi.class.inc.php
Line: 117

function escape($s) {
   if (function_exists('mysql_real_escape_string') && $this->conn) {
      $s = mysql_real_escape_string($s, $this->conn);
   } else {
      $s = mysql_escape_string($s);
   }
   return $s;
}