Whats the best way to escape strings for SQL injections and limiting string length?

Hey!
Whats the best way of escaping strings and limiting their length? An entity of mine uses Mysqloo so I want to make sure its secure and it wont be possible to bruteforce.
Thanks!

I think that is the best way, you could also use RegeX.

EDIT: Huh I stand corrected, SQLStr doesn’t even make the string safe. Regex… patterns, close enough.

SQLStr is for SQLite, not MySQL.

[editline]5th December 2013[/editline]

And GLua does not have Regex, it has patterns.

Also, what would be the best way to gsub a string to remove EVERYTHING other than numbers? I cant find anything on it…
Thanks!

Did you even read the MySQLOO documentation? I’m guessing not.

Example:
[lua]
local queryString = DBObject:escape( “anything’ OR ‘x’='x” )
if string.len(queryString) > 9001 then return end
[/lua]

How do i escape a string without the database object being present?

You’d make your own function to escape strings.

Can I use another database object to escape the strings?

Yes.



local s = string.gsub("test123lol54651231xd", "[^%d]", "")
print(tonumber(s))
>12354651231


That pattern matches everything else other than %d. %d is any digit. ^ means it should inverse it (if we didn’t inverse it, it would find all numbers and remove them instead.

If the numbers are decimal you’d probably want the period sign too, and perhaps the minus sign:



local s = string.gsub("test-123.lol54651231xd", "[^%d%-%.]", "")
print(tonumber(s))
>-123.54651231


I’ve now added %- and %.
Ideally, it would be just -. but since minus and period are “magic characters” in lua patterns I need to escape them.

Note that this doesn’t check for invalid numbers, like 123-456.455.67 would be just as valid. It’s beyond my knowledge to make a pattern that fixes that.