Paul Jones wrote:
I am creating a custom special page to gather some
information from user. I
have create a table to store the data in and am trying to use the Database
object to access it. This all works fine, but I need to validate the user
input. I would like to use mysql_real_escape_string to avoid sql injection,
but there does not seem to be any function in the Database object to escape
a string.
There are several functions for it.
If you need to construct SQL strings, the recommended way to add a
properly formatted quoted string literal to it is with
Database::addQuotes(). This includes both the surrounding quotes and the
escaping of the string itself:
$sql = "SELECT foo FROM bar WHERE baz=" . $db->addQuotes($quux);
Most database access in the wiki uses the higher-level wrapper functions
which pass raw data in associative arrays, and let the Database
interface construct the SQL and do escaping:
$result = $db->select( 'bar',
array( 'foo' ),
array( 'baz => $quux );
-- brion vibber (brion @
pobox.com)