CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • Need to use mysql_real_escape_string() in custom code
Pages: [1]

Author Topic: Need to use mysql_real_escape_string() in custom code  (Read 2349 times)

SarahG (FountainTribe)

  • Ask me questions
  • ****
  • Posts: 782
  • Karma: 29
  • CiviCRM version: 4.4.7
  • CMS version: Drupal 6, Drupal 7
  • MySQL version: 5.5
  • PHP version: 5.3
Need to use mysql_real_escape_string() in custom code
March 28, 2011, 12:06:47 pm
I need to use the PHP function mysql_real_escape_string() in one of my custom searches, to escape the apostrophes in the SQL statement.

According to documentation I have found, I need to call "mysql_connect()" before calling the function mysql_real_escape_string(). 

Is there a simple way to use these functions in my custom search, so that it uses the CiviCRM database connection information?  Or os there another approach that is simpler?
Did I help you? Please donate to the Civi-Make-It-Happen campaign  CiviCRM for mobile devices! 

xcf33

  • I post frequently
  • ***
  • Posts: 181
  • Karma: 7
  • CiviCRM version: 3.3.2
  • CMS version: Drupal 6.19/6.20
  • MySQL version: 5.x
  • PHP version: 5.2.6
Re: Need to use mysql_real_escape_string() in custom code
March 28, 2011, 12:11:37 pm
Why do you need to use it?

It is only useful when you are inserting data, I don't see that case in building a custom search (where you are just doing SELECT queries).

In addition, if you need to escape quotes just use the php function addslashes



Cheers!

SarahG (FountainTribe)

  • Ask me questions
  • ****
  • Posts: 782
  • Karma: 29
  • CiviCRM version: 4.4.7
  • CMS version: Drupal 6, Drupal 7
  • MySQL version: 5.5
  • PHP version: 5.3
Re: Need to use mysql_real_escape_string() in custom code
March 28, 2011, 02:59:19 pm
My custom search is inserting data into a temp table, which then gets queried for the final results to show on the screen.  I am using the mysql_real_escape_string to make sure the data is safe to insert.
Did I help you? Please donate to the Civi-Make-It-Happen campaign  CiviCRM for mobile devices! 

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Need to use mysql_real_escape_string() in custom code
March 28, 2011, 03:06:05 pm

in general you should not call that function directly. You should either you drupal/joomla's db layer or civicrm's db layer

for civicrm, u should use the function: CRM_Core_DAO::executeQuery

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

SarahG (FountainTribe)

  • Ask me questions
  • ****
  • Posts: 782
  • Karma: 29
  • CiviCRM version: 4.4.7
  • CMS version: Drupal 6, Drupal 7
  • MySQL version: 5.5
  • PHP version: 5.3
Re: Need to use mysql_real_escape_string() in custom code
March 28, 2011, 04:09:57 pm
I already am using the function "CRM_Core_DAO::executeQuery" to execute the insert statement.   The issue I face is if I do not escape my SQL string before calling executeQuery, then I get a hard error when there is a special char in the data being inserted.

My call is currently:

CRM_Core_DAO::executeQuery( $sql,
                                       CRM_Core_DAO::$_nullArray );
Did I help you? Please donate to the Civi-Make-It-Happen campaign  CiviCRM for mobile devices! 

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: Need to use mysql_real_escape_string() in custom code
March 28, 2011, 09:33:32 pm

the second param for executeQuery is an array of

ID => array( value, type )

where ID is the placeholder (%1, %2 etc)

might want to check: CRM/Contact/BAO/Contact.php and search for executeQuery

would be great if you can take a first stab at explaining that function so others can benefit. Ping us on IRC and we can give more details etc

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • Need to use mysql_real_escape_string() in custom code

This forum was archived on 2017-11-26.