SQL Escaping in MySQL

Started by Jeff, April 17, 2007, 07:16:49 AM

Previous topic - Next topic

Jeff

Add the following lines to your mysql.lsp library, depending on the version of mysql client lib you have:


(import libmysqlclient "mysql_escape_string") ; MySQL4
(import libmysqlclient "mysql_real_escape_string") ; MySQL5


MySQL4
(define (escape value , safe-value)
  "Escapes input value using mysql_escape_string."
  (set 'safe-value (dup " " (+ 1 (length value))))
  (MySQL:mysql_escape_string safe-value value (length value))
  safe-value)


MySQL5
(define (escape value , safe-value)
  "Escapes input value using mysql_real_escape_string."
  (set 'safe-value (dup " " (+ 1 (length value))))
  (MySQL:mysql_real_escape_string MySQL:MYSQL safe-value value (length value))
  safe-value)


These will escape newlines, single and double ticks, etc, to prevent sql injection.
Jeff

=====

Old programmers don\'t die. They just parse on...



http://artfulcode.net\">Artful code