mysql-real-escape-string

问题 I would like to insert the content of an excel file into my database. I simply use a raw query to achieve this. The controller function public function uploadExcel() { $filename = Input::file('import_file')->getRealPath(); $file = fopen($filename, "r"); $count = 0; while (($emapData = fgetcsv($file, 10000, "\t")) !== FALSE) { $count++; if($count>1) { DB::statement("INSERT INTO `members` ( member_title, member_first_name, member_name_affix, member_last_name, member_private_address, member

问题 I am trying to input data using forms into the MySQL, and also using mysql_real_escape_string for this purpose. Unfortunately I am having a problem with the output. It displays \ s, or if I use stripslashes then it removes all slashes. If I submit web's forms using backslash \ I get this output: "web\'s forms using backslash \\" See I got a double backslash. But if I use the stripslashes function then it removes all slashes but also removes inputed slash and the output is "web's forms using

问题 I'm using this query in my code, but it doesn't give me a result $query = sprintf("SELECT s.day, s.hour, h.name hostName FROM schedule s, host h WHERE dag IN (SELECT day FROM schedule WHERE showId = %s ORDER BY day, hour) AND s.hostId = h.id, AND s.showId = %s ORDER BY day, hour", mysqli_real_escape_string($con, $id), mysqli_real_escape_string($con, $id)); I know it's because s.hostId can be NULL. I've found the IFNULL()-method, and used it like this, but that didn't work. SELECT s.day, s

问题 I have a function where users can pull a record searching by a text field. The input is put into the following SQL query: $db->query("Select * from users where name = '".$db->real_escape_string($posted_var)."' limit 1"); $db is a mysqli connection object Works perfect until I have a ' in the name.. then the user is required to manually escape the quote to get it to match........ Shouldn't the real_escape_string() function do that for me? I have a test record where name is "test\'string" in

问题 I've a website that hacked today. Server logs returned something like this as hacker's tries: www.site.com/notifications.php?PID=7&id=999999.9%20union%20all%20select%20%28select%20distinct%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28schema_name%20as%20char%29%29%29%2C0x27%2C0x7e%29%20from%20%60information_schema%60.schemata%20limit%201%2C1%29%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536-- But I've used mysql_real_escape_string() in my code: if (isset($_GET['id'

问题 I've been sanitising my inputs using mysql_real_escape_string amongst other functions and have recently read that Prepared Statements are the only way to be truly secure. However I am reluctant to use these for two reasons: I don't want to rewrite code and I read that using them can have an impact on performance (queries are used extensively in this application). So I am looking for a recent , concrete example of where mysql_real_escape_string fails in a query and the resolution is to use

问题 I am moving my application from Mysql extension to PHP PDO. I am facing a strange problem. In my development environment, I have both db server [MySQL] and web server are in single system where as in testing environment web and db servers are in different system. The following test code runs perfectly in dev environment and fails in test environment. require "class.DB.php" ; class DbMaster extends DB { public function __construct() { $this->Host = "192.168.1.00"; $this->Database = 'test

问题 When is the correct time to use mysql_real_escape_string? Should I be using it when I use isset(mysql_escape_string($_GET['param'])), Should I be using it when I use $foo = mysql_real_escape_string($_GET['bar']); Thanks 回答1: You need to call this function when building SQL queries with string literals. You should not call it anywhere else. The point of calling this function is to prevent you from executing SQL like SELECT * FROM Students WHERE Name = 'Robert'); DROP TABLE Students;--' . mysql

问题 If I have magic_quotes switched on and I use mysql_real_escape_string , will the string be double escaped? Will it cause problems? I assume so based on the get_magic_quotes() function but just seeking confirmation. (P.S. It's easier to ask this question than test it in my office with all the security we have in place - It takes me 10-15 to configure everything to get a usable environment) 回答1: If you escape a value obtained from get/post/cookie input, it will already have addslashes() applied

问题 I'm escaping all the string parameters I receive from a php form like this: $usr_name = mysql_real_escape_string($_REQUEST['usr_name']); to avoid a few problems with SQL Injection. But when I my string back from the function, I end up with nothing. Also I keep getting this weird warning in my PHP log: PHP Warning: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: A link to the server could not be established in /hermes/bosweb