Print Page - SQL Escaping in MySQL

Title: SQL Escaping in MySQL
Post by: Jeff on April 17, 2007, 07:16:49 AM

Add the following lines to your mysql.lsp library, depending on the version of mysql client lib you have:

Code Select Expand
(import libmysqlclient "mysql_escape_string") ; MySQL4
(import libmysqlclient "mysql_real_escape_string") ; MySQL5

MySQL4

Code Select Expand
(define (escape value , safe-value)
  "Escapes input value using mysql_escape_string."
  (set 'safe-value (dup " " (+ 1 (length value))))
  (MySQL:mysql_escape_string safe-value value (length value))
  safe-value)

MySQL5

Code Select Expand
(define (escape value , safe-value)
  "Escapes input value using mysql_real_escape_string."
  (set 'safe-value (dup " " (+ 1 (length value))))
  (MySQL:mysql_real_escape_string MySQL:MYSQL safe-value value (length value))
  safe-value)

These will escape newlines, single and double ticks, etc, to prevent sql injection.

newLISP Fan Club

Forum => Anything else we might add? => Topic started by: Jeff on April 17, 2007, 07:16:49 AM