Why do we escape strings?
#1

I've been working with MySQL for a while, I'm not getting one thing that why do we escape strings? What does it even mean?
Reply
#2

It's to prevent SQL injection.

Enter "DROP TABLE `accounts`" on a dialog that processes a query. Try it out (but take caution on what it does).

http://www.w3schools.com/sql/sql_injection.asp

First thing you'll notice beyond that link:

An SQL Injection can destroy your database.

I think that's pretty clear and explains why you should escape strings on queries.

By the way, use the specifier "%q" on the function "format" to escape a string. This would be replaced for the specifier "%s".
Reply
#3

Quote:
Originally Posted by SickAttack
Посмотреть сообщение
It's to prevent SQL injection.

Enter "DROP TABLE `accounts`" on a dialog that processes a query. Try it out (but take caution on what it does).

http://www.w3schools.com/sql/sql_injection.asp

First thing you'll notice beyond that link:

An SQL Injection can destroy your database.

I think that's pretty clear and explains why you should escape strings on queries.

By the way, use the specifier "%q" on the function "format" to escape a string. This would be replaced for the specifier "%s".
Oh thanks, You just explained it in a couple of line. cool. +rep
Reply
#4

Quote:
Originally Posted by SystemX
Посмотреть сообщение
Oh thanks, You just explained it in a couple of line. cool. +rep
Never trust the client and never trust that their input is safe. Very important when working with SQL in any case.
Reply
#5

Quote:
Originally Posted by Jack_SMalls
Посмотреть сообщение
Never trust the client and never trust that their input is safe. Very important when working with SQL in any case.
Got it!
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)