I want to escape string in magento, but when I am using mysql_real_escape_string
, i am getting warning.
我想在magento中转义字符串,但是当我使用mysql_real_escape_string时,我将得到警告。
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.soc.....'
警告:mysql_real_escape_string()函数。无法通过socket /var/lib/ lib/ MySQL / MySQL .soc连接到本地MySQL服务器。
I couldn't find any magento's core mysql escape function. So, what should I do?
我找不到magento的核心mysql转义函数。那么,我该怎么办呢?
2 个解决方案
#1
24
Use this to escape a string for a query and add the surrounding single quotes:
使用它转义查询的字符串,并添加周围的单引号:
Mage::getSingleton('core/resource')->getConnection('default_write')->quote($string);
You can look up Varien_Db_Adapter_Pdo_Mysql
for further quoting details if needed.
如果需要,您可以查找Varien_Db_Adapter_Pdo_Mysql以获得进一步的详细信息。
#2
7
I think Magento uses a DB Access layer based on PDO, which handles escaping automatically provided you use bound parameters. Example from Using Magento Methods to write Insert Queries with care for SQL Injection
我认为Magento使用了一个基于PDO的DB访问层,如果您使用绑定参数,它将自动处理转义。例如,使用Magento方法编写插入查询,并使用SQL注入。
$write = Mage::getSingleton("core/resource")->getConnection("core_write");
// Concatenated with . for readability
$query = "insert into mage_example "
. "(name, email, company, description, status, date) values "
. "(:name, :email, :company, :desc, 0, NOW())";
$binds = array(
'name' => "name' or 1=1",
'email' => "email",
'company' => "company",
'desc' => "desc",
);
$write->query($query, $binds);
#1
24
Use this to escape a string for a query and add the surrounding single quotes:
使用它转义查询的字符串,并添加周围的单引号:
Mage::getSingleton('core/resource')->getConnection('default_write')->quote($string);
You can look up Varien_Db_Adapter_Pdo_Mysql
for further quoting details if needed.
如果需要,您可以查找Varien_Db_Adapter_Pdo_Mysql以获得进一步的详细信息。
#2
7
I think Magento uses a DB Access layer based on PDO, which handles escaping automatically provided you use bound parameters. Example from Using Magento Methods to write Insert Queries with care for SQL Injection
我认为Magento使用了一个基于PDO的DB访问层,如果您使用绑定参数,它将自动处理转义。例如,使用Magento方法编写插入查询,并使用SQL注入。
$write = Mage::getSingleton("core/resource")->getConnection("core_write");
// Concatenated with . for readability
$query = "insert into mage_example "
. "(name, email, company, description, status, date) values "
. "(:name, :email, :company, :desc, 0, NOW())";
$binds = array(
'name' => "name' or 1=1",
'email' => "email",
'company' => "company",
'desc' => "desc",
);
$write->query($query, $binds);