All geek questions in one place

Using parameters for mysql_query

somewhere during my studies, I learned something interesting .. He says something like the following:

$query = sprintf("SELECT firstname, lastname, address, age FROM friends 
WHERE firstname='%s' AND lastname='%s'",mysql_real_escape_string($firstname),
    mysql_real_escape_string($lastname));

using this query, not

$query="select firstname, lastname, address, age FROM friends
WHERE firstname='".$_RETURN['name1']."', lastname='".$_RETURN['name2']."'";

it seems reasonable .. you have ever tried this encoding .. and how it helps prevent any malicious attacks.

-1
source share
3 answers

The first is what is called SQL-Injection . It is basically just the ability to modify database queries through user input.

Let's look at an example:

Query:

SELECT temp1 FROM temp WHERE temp2 = 'VAR1';

Now we assign VAR1 the value: '; DROP TABLE *; -- And we get:

SELECT temp1 FROM temp WHERE temp2 = ''; DROP TABLE *; --';

From mysql_real_escape_stringit it will look like this:

SELECT temp1 FROM temp WHERE temp2 = '\'; DROP TABLE *; --'

mysql_real_escape_string 'provides' a string for use in a query.

mysql_*. , SQL .

, , SQL Injection , .

PHP , mysql_*:

: , mysql_*!

+5

, sprintf, ; , mysql_real_escape_string SQL ( ); iffy magic_quotes_gpc PHP, .

magic_quotes_gpc , ... :

  • . magic_quotes_gpc SQL-; .
  • You later retrieve this row from the database and include it in another query. Now the row has not left the query, therefore it magic_quotes_gpcdoes not delete the row. Voilà, SQL injection; your data is now probably gone.

Using some methods of shielding independently, either something like mysql_real_escape_string, or a level of database abstraction with a query builder (for example, Adodb), of course, surpasses just the hope for the best.

0
source

Source: https://habr.com/ru/post/1726124/

More articles:


All Articles