Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

PHP Forum


You are currently viewing our PHP Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Development and Programming Support > PHP Forum > preg_replace between (')'s

Freelance Jobs

Reply
preg_replace between (')'s
Old 07-27-2008, 04:56 PM preg_replace between (')'s
Inet411's Avatar
Skilled Talker

Posts: 88
Name: programmer
Location: internet
Trades: 0
Talkupation: Inet411 will become famous soon enough
I have to show an example is it will explain better then I can with words alone.

I want to mysql_real_escape_string my data before I make a query.
Here is a sample:
PHP Code:
$where "article_name = 'some_article_name'"
Here is what I currently have that will real escape anything between the single quotes :

PHP Code:
$where preg_replace("/(')(.*)(')/eis""'$1' . mysql_real_escape_string('$2') . '$3'"$where); 
Works great. but if my original $where is:
PHP Code:
$where "article_name = 'some_article_name' AND article_title = 'something'"
Now the preg_replace takes the first single quote and the last single quote and escapes in between. leaving me with:
PHP Code:
article_name 'some_article_name\' AND article_title = \'something' 
see how it escapes the single quotes in between the first and last.

I would like it to only escape between each SET of single quotes.
Anyone have any advice?
__________________

Please login or register to view this content. Registration is FREE
Inet411 is offline
Reply With Quote
View Public Profile Visit Inet411's homepage!
 
 
Register now for full access!
Old 07-27-2008, 08:34 PM Re: preg_replace between (')'s
Extreme Talker

Posts: 238
Location: United States
Trades: 0
Talkupation: frost is a name known to allfrost is a name known to allfrost is a name known to allfrost is a name known to allfrost is a name known to allfrost is a name known to all
I think that you should not escape queries with the help of preg_replace. Not only do you have to detect when you have multiple conditions in your where statement, but you have to worry about quotes inside each value. Let's say your $where var is something like this:
PHP Code:
$where "article = '$value'"
If $value somehow manages to be something like ' OR '1'='1, (see SQL injection) then your $where variable will contain this:
PHP Code:
"article = '' OR '1'='1'" 
I don't think there's anyway you can properly sanitize that with the method you are currently using, nor with the method you want to use.

I think a much safer way is to use mysql_real_escape_string individually on every single variable you put in a query.
PHP Code:
$where "article = '".mysql_real_escape_string($value)."'"
This prevents sql errors and sql injection, and even though it may make your PHP code around queries look longer (and possibly more complex) it's a very good habit to follow imho.
__________________
The interlocking pieces of web development: usability, performance, accessibility, and standards.
frost is offline
Reply With Quote
View Public Profile
 
Old 07-28-2008, 04:52 PM Re: preg_replace between (')'s
Average Talker

Posts: 18
Trades: 0
Talkupation: awatson is on a distinguished road
I think frost is correct, but in case it's helpful otherwise - I think the problem with your regular expression is that it's too "greedy" - try this:

Code:
$where = preg_replace("/(')(.*?)(')/eis", "'$1' . mysql_real_escape_string('$2') . '$3'", $where);


The key is the "?" in pattern that tells it not to be so greedy
__________________
30 Day Money-Back Guarantee -
Please login or register to view this content. Registration is FREE
-
Please login or register to view this content. Registration is FREE
-
Please login or register to view this content. Registration is FREE
awatson is offline
Reply With Quote
View Public Profile
 
Reply     « Reply to preg_replace between (')'s
 
Previous Thread | Next Thread Tycoon Talk > Web Development and Programming Support > PHP Forum > preg_replace between (')'s

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.13430 seconds with 12 queries