mysql-real-escape-string

PHP's mysql_real_escape_string and MySQL Injection

谁说胖子不能爱 提交于 2020-01-21 05:31:06
问题 I have been trying to figure out how exactly \x00, \n, \r, \, or \x1a can cause an SQL Injection (as it is mentioned at http://nl3.php.net/manual/en/function.mysql-real-escape-string.php) I understand the idea of single quote and double quotes, but how and why I need to take care of the other items to make my query safe? 回答1: I was wondering about the same question and I found the answer in the C API documentation of MySQL, it states: Characters encoded are “\”, “'”, “"”, NUL (ASCII 0), “\n”,

mysql_real_escape_string() is not escaping anything

旧街凉风 提交于 2020-01-16 14:39:14
问题 would I need to use real escape in both my INSERT and SELECT FROM statements? why the syntax I'm using in the following example isn't working (It's just one of the many ways I've tried)? //insert user input for word 1 $sql = "INSERT INTO test (Word1, Word2, Word3, Word4, Word5) VALUES('$Word1','$Word2','$Word3','$Word4','$Word5')", mysql_real_escape_string($Word1), mysql_real_escape_string($Word2), mysql_real_escape_string($Word3), mysql_real_escape_string($Word4), mysql_real_escape_string(

Do I have to use mysql_real_escape_string if I bind parameters?

时间秒杀一切 提交于 2020-01-09 05:20:27
问题 I have the following code: function dbPublish($status) { global $dbcon, $dbtable; if(isset($_GET['itemId'])) { $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?'; $stmt = $dbcon->prepare($sqlQuery); $stmt->bind_param('ii', $status, $_GET['itemId']); $stmt->execute(); $stmt->close(); } } Do I need to mysql_real_escape_string in this case or am i okay? 回答1: No, you don't have to escape value yourself (i.e. no you don't need to call mysqli_real_escape_string ) , when you are using

insert XML data into mysql with php

一个人想着一个人 提交于 2019-12-30 15:01:59
问题 Portion of xml file that represents the problem (the xml file has hundreds of customers record) <?xml version="1.0" encoding="utf-8"?> <test> <customer> <name>customer 1</name> <address>address 1</address> <city>city 1</city> <state>state 1</state> <zip>zip 1</zip> <phone>phone 1</phone> <buyerinfo> <shippingaddress> <name>ship to</name> <address>Ship address1</address> </shippingaddress> </buyerinfo> <shippingDetail> <saletax> <saletaxamount>2</saletaxamount> </saletax> </shippingDetail> <

mysql_real_escape_string() just makes an empty string?

拜拜、爱过 提交于 2019-12-30 06:08:58
问题 I am using a jQuery AJAX request to a page called like.php that connects to my database and inserts a row. This is the like.php code: <?php // Some config stuff define(DB_HOST, 'localhost'); define(DB_USER, 'root'); define(DB_PASS, ''); define(DB_NAME, 'quicklike'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die('ERROR: ' . mysql_error()); $sel = mysql_select_db(DB_NAME, $link) or die('ERROR: ' . mysql_error()); $likeMsg = mysql_real_escape_string(trim($_POST['likeMsg'])); $timeStamp

Htmlentities vs addslashes vs mysqli_real_escape_string

三世轮回 提交于 2019-12-29 06:54:10
问题 I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string is the correct function to use when inserting data into MySQL tables because addslashes can cause some weird things to happen for a smart attacker. Right? However, there is one thing that is confusing me. I seem to remember being advised addslashes is better than htmlentities when echoing user-entered data back to users to protect their data, but it seems like addslashes is the one

mysql_real_escape more than once

亡梦爱人 提交于 2019-12-26 10:00:08
问题 I was just wondering whether it makes a difference if I mysql_real_escape data more than once? So if I escaped data in one part of my website, and then again in another part of code. Would this be a problem? Or make a difference? 回答1: Yes. You'd get extra unnecessary backslashes. 回答2: The right place for mysql_real_escape is right before you send the query to save the data. Every other instance anywhere else in the script is a major design flaw. That should preferably in an own db-class of

mysql real escape string and Cookies

我怕爱的太早我们不能终老 提交于 2019-12-24 20:20:05
问题 Is there any reason this is bad form? The only user input data on the page is // Set username and password from cookies $username = mysql_real_escape_string($_COOKIE["username"]); $password = mysql_real_escape_string($_COOKIE['password']); I am REALLY new to the idea of sanitizing. Is there any reason this is a terrible way of doing things? 回答1: NEVER, EVER store users' data in cookies! Here's what I suggest: store user's ID in cookie generate special token and hash+salt and store them in

html purifier library usage concept

冷暖自知 提交于 2019-12-24 17:52:16
问题 Hi I am at prototype stage with my site. I read the html purifier main page and questions about this library in this site but I am still not clear with the issue on my mind. Can you guide me please? Thanks, BR My Understanding: From the docs I have read, I understood that the best I can do is: to use mysqli_real_escape_string while inputting untrusted data into my mysql database to use html purifier library while outputting data from mysql database to sscreen as html My Questions Q1) Does my

When to use mysql_real_escape_string?

China☆狼群 提交于 2019-12-23 15:14:26
问题 When should i use mysql_real_escape_string? Is it only when i'm inserting rows into a database? Or only when i have user input? Thanks 回答1: You should use mysql_real_escape_string() whenever you're building a query that will be run against the database. Any user input that is being used to build a database query should be run through this function. This will prevent sql injection attacks. User inputs are your big area of concern when it comes to this. 回答2: You should use mysql_real_escape