h1. API:DB:escape
{info:title=API Quick reference }
| Variable name: | escape |
| Modx versions: | 0.9.x + Evolution |
| Input parameters: | (string $s) |
| Return if successful: | MySQL escaped string $s |
| Return type: | string |
| Return on failure: | string $s |
| Object parent: | [DocumentParser|DocumentParser Object] -> [DBAPI] |
{info}
h2.Description
{code}string escape(string $s);{code}
Escaping potential dangerous characters in a string before using it in a query can help protect your script against SQL injection attacks.
Function escapes strings passed to it in preparation for inclusion in a MySQL query. If available, this function uses mysql_real_escape_string which is binary and character set safe. If mysql_real_escape_string is not available, it will instead use mysql_escape_string to escape the data.
h2. Usage / Examples
{code}function login($username, $password)
{
global $modx, $table_prefix;
$username = $modx->db->escape($username);
$password = $modx->db->escape($password);
$res = $modx->db->select("id", $table_prefix.".modx_web_users",
"username='$username' AND password='".md5($password)."'");
if($modx->db->getRecordCount($res))
{
$_SESSION['userid'] = $id;
//other log in things...
}
else
{
//incorrect login
}
}{code}
{code}$string = "This is Joe's Page";
$string = $modx->db->escape($string); {code}
This will result in the string "This is Joe\'s Page".
h2. Related
[select], [query], [insert], [update]
h2. Function Source
File: manager/includes/extenders/dbapi.class.inc.php
Line: 117
{code}function escape($s) {
if (function_exists('mysql_real_escape_string') && $this->conn) {
$s = mysql_real_escape_string($s, $this->conn);
} else {
$s = mysql_escape_string($s);
}
return $s;
}{code}
{info:title=API Quick reference }
| Variable name: | escape |
| Modx versions: | 0.9.x + Evolution |
| Input parameters: | (string $s) |
| Return if successful: | MySQL escaped string $s |
| Return type: | string |
| Return on failure: | string $s |
| Object parent: | [DocumentParser|DocumentParser Object] -> [DBAPI] |
{info}
h2.Description
{code}string escape(string $s);{code}
Escaping potential dangerous characters in a string before using it in a query can help protect your script against SQL injection attacks.
Function escapes strings passed to it in preparation for inclusion in a MySQL query. If available, this function uses mysql_real_escape_string which is binary and character set safe. If mysql_real_escape_string is not available, it will instead use mysql_escape_string to escape the data.
h2. Usage / Examples
{code}function login($username, $password)
{
global $modx, $table_prefix;
$username = $modx->db->escape($username);
$password = $modx->db->escape($password);
$res = $modx->db->select("id", $table_prefix.".modx_web_users",
"username='$username' AND password='".md5($password)."'");
if($modx->db->getRecordCount($res))
{
$_SESSION['userid'] = $id;
//other log in things...
}
else
{
//incorrect login
}
}{code}
{code}$string = "This is Joe's Page";
$string = $modx->db->escape($string); {code}
This will result in the string "This is Joe\'s Page".
h2. Related
[select], [query], [insert], [update]
h2. Function Source
File: manager/includes/extenders/dbapi.class.inc.php
Line: 117
{code}function escape($s) {
if (function_exists('mysql_real_escape_string') && $this->conn) {
$s = mysql_real_escape_string($s, $this->conn);
} else {
$s = mysql_escape_string($s);
}
return $s;
}{code}