Page 1 of 1

String escape in Delphi ?

Posted: 06.03.2006, 08:56
by matf
Hi There,

I'm looking for a Delphi Function that does the same like the mysql_real_escape_string function in PHP to protect my Application and my Database form SQL Injection.

Can you help me ?

Thanks a lot,
Matf.

Posted: 06.03.2006, 11:39
by btrewern
I use QuotedStr() but I'm not sure if that covers you for every eventuality.

Regards,

Ben

Posted: 06.03.2006, 19:14
by matsgefvert
I've looked around for a similar function that's not dependent on the particular database. The one we've been using so far is EscapeCString in ZSysUtils, but we only use it for MySQL anyhow.

SQL Server is decidedly trickier, and quite frankly, I'm not sure how to do it. Is the solution to only use parameters and let the ZDbc layer handle it?

/ Matt

Posted: 07.03.2006, 07:56
by matf
I can't find this function in the ZSysUtils Unit... That's strange.

Posted: 07.03.2006, 08:30
by matsgefvert
6.1.5 here. I guess they keep changing stuff. :)

/ Matt

Posted: 08.03.2006, 08:44
by matf
Well, that's right. But how is this function called now ?

in delphi

Posted: 08.03.2006, 23:15
by username

Code: Select all

function CheckScapeString(const Value: string): string;
var
  I: Integer;
  tmpStr: string;
begin
  Result := '';
  tmpStr := '';
  for I := 1 to Length(Value) do
    if Value[I] in [ '''', '\', '"', ';']
      then tmpStr := tmpStr + '\' + Value[I]
      else tmpStr := tmpStr + Value[I];
  Result := tmpStr;
end;

Posted: 09.03.2006, 09:54
by matf
thank you !

Posted: 26.07.2006, 21:21
by anse123
the big problem with these functions (CheckScapeString, EscapeCString, QuotedStr) is that they only escape the mostly needed things as quotes, doublequotes and maybe 1 or two other characters. MySQL_real_escape_string is somewhat more complex and would be the best choice. For example it escapes characters dependently on the connection-characterset.

Is there any way to use these "mysql_*" function-calls from the DLL in ZEOS 6.5.1 / Delphi ? I know that most of these function need a PMYSQL resource parameter which is not there if you connect through Zeos, but maybe someone knows a way to use them?

Posted: 26.07.2006, 23:31
by gto
anse123 wrote:the big problem with these functions (CheckScapeString, EscapeCString, QuotedStr) is that they only escape the mostly needed things as quotes, doublequotes and maybe 1 or two other characters. MySQL_real_escape_string is somewhat more complex and would be the best choice. For example it escapes characters dependently on the connection-characterset.

Is there any way to use these "mysql_*" function-calls from the DLL in ZEOS 6.5.1 / Delphi ? I know that most of these function need a PMYSQL resource parameter which is not there if you connect through Zeos, but maybe someone knows a way to use them?
You can inspect the ZPlainMySqlXXXXX.pas files located in ZeosRoot\src\plain. There are 7 files in Testing_79 Rev, which stands for the most lower level of relation between Zeos and MySql. All mysql native functions are in those files, as the constants and data structures needed to access them ;)