Is it correct to screen the data before working in the database, as implemented in opencart?

S

ssrdop2017-03-29 10:37:52

PHP

ssrdop, 2017-03-29 10:37:52

opencart has an escape function to escape the value before working with the base

public function escape($value) {
    $search = array("\\", "\0", "\n", "\r", "\x1a", "'", '"');
    $replace = array("\\\\", "\\0", "\\n", "\\r", "\Z", "\'", '\"');
    return str_replace($search, $replace, $value);
  }

How safe is it?
If you use the standard function mysql_real_escape_string - will there be more effect?
Or can they be used together? (Even though both are escaped anyway...)
Don't swear about mysql_real_escape_string - the project is old, there is no pdo or mysqli there.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

O

OnYourLips, 2017-03-29
@ssrdop

Wrong and dangerous. The data does not need to be explicitly escaped.
But placeholders need to be used. Screening will actually be done, but in the depth of the driver or even by means of the database client.

W

web-mechanic, 2017-04-02
@amfetamine

$this->db->escape($string);
Did you try to open the source codes and see the available methods for working with the database?