SQLite3
在线手册:中文 英文
PHP手册

SQLite3::escapeString

(PHP 5 >= 5.3.0)

SQLite3::escapeStringReturns a string that has been properly escaped

说明

public string SQLite3::escapeString ( string $value )

Returns a string that has been properly escaped for safe inclusion in an SQL statement.

参数

value

The string to be escaped.

返回值

Returns a properly escaped string that may be used safely in an SQL statement.

注释

Warning

addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data.

SQLite3
在线手册:中文 英文
PHP手册
PHP手册 - N: Returns a string that has been properly escaped

用户评论:

rebles at myupb dot com (16-Jan-2011 06:24)

SQLite3::escapeString() should be used on every piece of user input before constructing the query string, or *after* constructing the query string?

Calling this function on user input BEFORE constructing the query string can lead to interesting results.  For instance, it truncates e-mail addresses in an un-usable manor.

alec at alecnewman dot com (09-Aug-2010 10:14)

The reason this function doesn't escape double quotes is because double quotes are used with names (the equivalent of backticks in MySQL), as in table or column names, while single quotes are used for values.

This is important to remember, especially coming from another SQL implementation.  It can cause strange problems, for example, the query:

SELECT * FROM table WHERE column1="column1"

Would actually return every record, because column1 is always equal to column1.  This should instead be:

SELECT * FROM table WHERE column1='column1'

Double quotes are not escaped by the function because they are not interpreted specially within single quoted strings.

koalay at gmail dot com (25-May-2010 04:28)

I seems that the function only escapes single quote ' and left double quote " untouched.

<?php

$database_filename = "database.db";
$dbhandle = new SQLite3($database_filename, $mode=0666, $sqliteerror);
$escape_result = $dbhandle->escapeString("testing's is \"fun\".");
print "$escape_result\n";

?>

The result would be:

  testing''s is "fun".

So, please use single quote to quote text in sqlite query.

<?php

// this should be OK
$sql = sprintf("INSERT INTO table1 (somestr1, somestr2) VALUES ('%s', '%s')",
  $dbhandle->($somestr1), $dbhandle->($somestr1));
$dbhandle->query($sql);

// this would be vulnerable to injection
$sql = sprintf('INSERT INTO table1 (somestr1, somestr2) VALUES ("%s", "%s")',
  $dbhandle->($somestr1), $dbhandle->($somestr1));
$dbhandle->query($sql);

?>