Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to mysql escape in magento?

Tags:

mysql

magento

I want to escape string in magento, but when I am using mysql_real_escape_string, i am getting warning.

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.soc.....'

I couldn't find any magento's core mysql escape function. So, what should I do?

like image 789
user1463076 Avatar asked Jun 21 '12 06:06

user1463076


2 Answers

Use this to escape a string for a query and add the surrounding single quotes:

Mage::getSingleton('core/resource')->getConnection('default_write')->quote($string);

You can look up Varien_Db_Adapter_Pdo_Mysql for further quoting details if needed.

like image 57
Vinai Avatar answered Oct 16 '22 05:10

Vinai


I think Magento uses a DB Access layer based on PDO, which handles escaping automatically provided you use bound parameters. Example from Using Magento Methods to write Insert Queries with care for SQL Injection

$write = Mage::getSingleton("core/resource")->getConnection("core_write");

// Concatenated with . for readability
$query = "insert into mage_example "
       . "(name, email, company, description, status, date) values "
       . "(:name, :email, :company, :desc, 0, NOW())";

$binds = array(
    'name'    => "name' or 1=1",
    'email'   => "email",
    'company' => "company",
    'desc'    => "desc",
);
$write->query($query, $binds);
like image 25
siliconrockstar Avatar answered Oct 16 '22 04:10

siliconrockstar