SQL Escaping in MySQL

For the Compleat Fan
Locked
Jeff
Posts: 604
Joined: Sat Apr 07, 2007 2:23 pm
Location: Ohio
Contact:

SQL Escaping in MySQL

Post by Jeff »

Add the following lines to your mysql.lsp library, depending on the version of mysql client lib you have:

Code: Select all

(import libmysqlclient "mysql_escape_string") ; MySQL4
(import libmysqlclient "mysql_real_escape_string") ; MySQL5
MySQL4

Code: Select all

(define (escape value , safe-value)
  "Escapes input value using mysql_escape_string."
  (set 'safe-value (dup " " (+ 1 (length value))))
  (MySQL:mysql_escape_string safe-value value (length value))
  safe-value)
MySQL5

Code: Select all

(define (escape value , safe-value)
  "Escapes input value using mysql_real_escape_string."
  (set 'safe-value (dup " " (+ 1 (length value))))
  (MySQL:mysql_real_escape_string MySQL:MYSQL safe-value value (length value))
  safe-value)
These will escape newlines, single and double ticks, etc, to prevent sql injection.
Jeff
=====
Old programmers don't die. They just parse on...

Artful code

Locked