I am using mssql and sqlsrv libraries (cross platform site) with phss and give me a snippet for string hygiene Has never had to use nor does the library provide a mysqli_real_escape_string intellectualism.
My task is:
public function syntax ($ string) {if (numeric ($ string) || $ string == = 'NULL' {$ $ String;} $ unpacked = unpack ('H * hex', $ string); Return '0x'. $ Unpacked ['hex'];} The function changes the string to hex value Which causes the SQL statement in the string as a string, I have found somewhere on the stack overflow.
However a query for LIKE is Hello% String hex like an In the form of wild card, after encoding it will also explain % . In fact, % should be encoded for hex as compared to work.
How can I ensure that any user has entered wild card characters, that is not wild card?
Example query:
Select LastName, before user, where user code like 'search string' ' An "search string" is a string that is passed through the above hygiene function. At the end of the string before the query, I always add a % , but the user can put one in the beginning or middle or using any other type of wildcard to prevent the query from succeeding. After all, I wrote my decision for this and here I decided what I have to do. Still appreciate any feedback or better solution Do I miss any tokens or special characters in this list?
function mssqlLikeEscape ($ string) {$ new_string = preg_replace ('/ ([\ [\]% _ \ ^]) /', '[$ 1]', $ string); Return $ new_string; } Example Usage:
echo mssqlLikeEscape ('A [has the value in the bush in the hand.']; Result:
is worth [%] in one [[] bush in the hand. 
No comments:
Post a Comment