andrewbreksa/mysql-escape-string-polyfill

mysql-escape-string-polyfill is a very insecure `mysql_escape_string` implementation (PHP 7.1/7.2) for a very limited use case

Maintainers

Details

github.com/abreksa4/mysql-escape-string-polyfill

Source

Issues

Installs: 23

Dependents: 0

Suggesters: 0

Security: 0

Stars: 9

Watchers: 3

Forks: 1

Open Issues: 0

1.0.3 2019-03-15 22:00 UTC

Requires

  • php: ^7.1|^7.2

Requires (Dev)

MIT ffc3b608d3b7f590e5f092cfefe77428c3b8abe4

  • Andrew Breksa <andrew.woop@apwg.org>

This package is auto-updated.

Last update: 2024-04-22 15:11:01 UTC

README

Build Status codecov

mysql-escape-string-polyfill is a very insecure mysql_escape_string implementation (PHP 7.1/7.2) for a very limited use case

Usage

  1. Install this package via composer: composer require andrewbreksa/mysql-escape-string-polyfill
  2. Find all the places you use the mysql_* functions, and refactor your code to use PDO

Limitations

  • Uses the following map to replace characters in a string: 
    $replacementMap = [
    "\0" => "\\0",
    "\n" => "\\n",
    "\r" => "\\r",
    "\t" => "\\t",
    chr(26) => "\\Z",
    chr(8) => "\\b",
    '"' => '\"',
    "'" => "\'",
    '_' => "\_",
    "%" => "\%",
    '\\' => '\\\\'
];
  • Not very comprehensively tested, this will be an ongoing effort as new edge cases are discovered

Hacking on the complex source code

The implementation can be found in functions.php, and you can run tests by executing composer test