Best IT Recipes

What does mysql_real_escape_string () really do?

One thing I hate about documentation at times (when you're new) is how it doesn't describe things in English. Could someone translate this documentation for me? I would like to know how exactly this makes it difficult for a hacker to insert characters.

http://php.net/manual/en/function.mysql-real-escape-string.php

Also, if so, how does the hacker try to insert characters?

+34
php mysql
Jun 13 '11 at 7:27
source share
6 answers

The function adds an escape character, a backslash, \, in front of some potentially dangerous characters in the string passed to the function. Symbols hidden -

\ x00, \ n, \ r, \, ', "and \ x1a.

This can help prevent SQL injection attacks, which are often performed using a character to add malicious code to the SQL query.

+54
Jun 13 2018-11-11T00:
source share

Suppose you want to store the string I'm a "foobar" in the database.
Your query will look something like INSERT INTO foos (text) VALUES ("$text") .
When replacing the variable $text it will look like this:

 INSERT INTO foos (text) VALUES ("I'm a "foobar"")

Now, where exactly does the line end? You may know that the SQL parser does not. Not only will this break this query, it can also be used to enter SQL commands that you did not plan.

mysql_real_escape_string ensures that such ambiguities do not occur, escaping characters of particular importance to the SQL parser:

 mysql_real_escape_string($text) => I\'ma \"foobar\"

This will:

 INSERT INTO foos (text) VALUES ("I\'ma \"foobar\"")

This makes the statement unambiguous and safe. The signal \ signals that the next character should not be perceived by its special value as a line terminator. There are several such characters that mysql_real_escape_string cares about.

Escaping is a pretty universal thing in BTW programming languages, all in the same direction. If you want to print the above sentence literally in PHP, you also need to avoid it for the same reasons:

 $text = 'I\'ma "foobar"'; // or $text = "I'm a \"foobar\"";
+36
Jun 13 2018-11-11T00:
source share

PHP mysql_real_escape_string function is just a shell for MySQLs mysql_real_escape_string function . It basically prepares an input string that should be safely used in declaring a MySQL string by escaping certain characters so that they cannot be misinterpreted as a line separator or an escape sequence separator and thus allow certain injection attacks .

Real in mysql_real_escape_string as opposed to mysql_escape_string is due to the fact that it also takes into account the encoding of the current character, since risky characters are not encoded the same in different character encodings. But you need to define character encoding correctly in order for mysql_real_escape_string to work mysql_real_escape_string .

+7
Jun 13 2018-11-11T00:
source share

The best explanation is here.

http://www.w3schools.com/php/func_mysql_real_escape_string.asp

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

As a rule, this helps to avoid SQL injection, for example, consider the following code:

 <?php // Query database to check if there are any matching users $query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'"; mysql_query($query); // We didn't check $_POST['password'], it could be anything the user wanted! For example: $_POST['username'] = 'aidan'; $_POST['password'] = "' OR ''='"; // This means the query sent to MySQL would be: echo $query; ?>

and the hacker can send a request, for example:

SELECT * FROM users WHERE user = 'aidan' AND password = '' OR '' = ''

This will allow anyone to log in without a valid password.

+6
Jun 13 2018-11-11T00:
source share

mysql_real_escape_string() helps to avoid special characters, such as a single quote, etc., that users can send to your script. You need to avoid such characters because it is useful if you want to avoid SQL Injection .

I would advise you to check:

mysql_real_escape_string () compared to prepared reports

To be on the safer side, you need to switch to Prepared Statements , as shown in the previous article.

+3
Jun 13 2018-11-11T00:
source share

The mysqli_real_escape_string () function allocates special characters in a string for use in an SQL statement.

0
Jan 12 '15 at 9:28
source share


More articles:


All Articles