String escape in Delphi ?

Forum related to version 6.5.1 (alpha) and 6.6.x (beta) of ZeosLib's DBOs

Moderators: gto, cipto_kh, EgonHugeist

Post Reply
matf

String escape in Delphi ?

Post by matf »

Hi There,

I'm looking for a Delphi Function that does the same like the mysql_real_escape_string function in PHP to protect my Application and my Database form SQL Injection.

Can you help me ?

Thanks a lot,
Matf.
Top
btrewern
Expert Boarder
Expert Boarder
Posts: 193
Joined: 06.10.2005, 18:51

Post by btrewern »

I use QuotedStr() but I'm not sure if that covers you for every eventuality.

Regards,

Ben
Top
matsgefvert
Junior Boarder
Junior Boarder
Posts: 38
Joined: 22.11.2005, 09:11
Location: Skövde, Sweden
Contact:
Contact matsgefvert

Post by matsgefvert »

I've looked around for a similar function that's not dependent on the particular database. The one we've been using so far is EscapeCString in ZSysUtils, but we only use it for MySQL anyhow.

SQL Server is decidedly trickier, and quite frankly, I'm not sure how to do it. Is the solution to only use parameters and let the ZDbc layer handle it?

/ Matt
Coffee clarifies the mind, improves morale, lifts the spirit and motivates and inspires to focused, productive work.
Top
matf

Post by matf »

I can't find this function in the ZSysUtils Unit... That's strange.
Top
matsgefvert
Junior Boarder
Junior Boarder
Posts: 38
Joined: 22.11.2005, 09:11
Location: Skövde, Sweden
Contact:
Contact matsgefvert

Post by matsgefvert »

6.1.5 here. I guess they keep changing stuff. :)

/ Matt
Coffee clarifies the mind, improves morale, lifts the spirit and motivates and inspires to focused, productive work.
Top
matf

Post by matf »

Well, that's right. But how is this function called now ?
Top
username
Fresh Boarder
Fresh Boarder
Posts: 5
Joined: 12.10.2005, 15:00
Location: Bolivia

in delphi

Post by username »

Code: Select all

function CheckScapeString(const Value: string): string;
var
  I: Integer;
  tmpStr: string;
begin
  Result := '';
  tmpStr := '';
  for I := 1 to Length(Value) do
    if Value[I] in [ '''', '\', '"', ';']
      then tmpStr := tmpStr + '\' + Value[I]
      else tmpStr := tmpStr + Value[I];
  Result := tmpStr;
end;
Top
matf

Post by matf »

thank you !
Top
anse123
Junior Boarder
Junior Boarder
Posts: 26
Joined: 23.02.2006, 22:28

Post by anse123 »

the big problem with these functions (CheckScapeString, EscapeCString, QuotedStr) is that they only escape the mostly needed things as quotes, doublequotes and maybe 1 or two other characters. MySQL_real_escape_string is somewhat more complex and would be the best choice. For example it escapes characters dependently on the connection-characterset.

Is there any way to use these "mysql_*" function-calls from the DLL in ZEOS 6.5.1 / Delphi ? I know that most of these function need a PMYSQL resource parameter which is not there if you connect through Zeos, but maybe someone knows a way to use them?
Top
gto
Zeos Dev Team
Zeos Dev Team
Posts: 278
Joined: 11.11.2005, 18:35
Location: Porto Alegre / Brasil

Post by gto »

anse123 wrote:the big problem with these functions (CheckScapeString, EscapeCString, QuotedStr) is that they only escape the mostly needed things as quotes, doublequotes and maybe 1 or two other characters. MySQL_real_escape_string is somewhat more complex and would be the best choice. For example it escapes characters dependently on the connection-characterset.

Is there any way to use these "mysql_*" function-calls from the DLL in ZEOS 6.5.1 / Delphi ? I know that most of these function need a PMYSQL resource parameter which is not there if you connect through Zeos, but maybe someone knows a way to use them?
You can inspect the ZPlainMySqlXXXXX.pas files located in ZeosRoot\src\plain. There are 7 files in Testing_79 Rev, which stands for the most lower level of relation between Zeos and MySql. All mysql native functions are in those files, as the constants and data structures needed to access them ;)
Use the FU!!!!!IN Google !

gto's Zeos Quick Start Guide

Te Amo Taís!
Top
Post Reply

Return to “6.5.1 (alpha) - 6.6.x (beta)”