mysql-real-escape-string

问题 I have been trying to figure out how exactly \x00, \n, \r, \, or \x1a can cause an SQL Injection (as it is mentioned at http://nl3.php.net/manual/en/function.mysql-real-escape-string.php) I understand the idea of single quote and double quotes, but how and why I need to take care of the other items to make my query safe? 回答1: I was wondering about the same question and I found the answer in the C API documentation of MySQL, it states: Characters encoded are “\”, “'”, “"”, NUL (ASCII 0), “\n”,

问题 would I need to use real escape in both my INSERT and SELECT FROM statements? why the syntax I'm using in the following example isn't working (It's just one of the many ways I've tried)? //insert user input for word 1 $sql = "INSERT INTO test (Word1, Word2, Word3, Word4, Word5) VALUES('$Word1','$Word2','$Word3','$Word4','$Word5')", mysql_real_escape_string($Word1), mysql_real_escape_string($Word2), mysql_real_escape_string($Word3), mysql_real_escape_string($Word4), mysql_real_escape_string(

问题 I have the following code: function dbPublish($status) { global $dbcon, $dbtable; if(isset($_GET['itemId'])) { $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?'; $stmt = $dbcon->prepare($sqlQuery); $stmt->bind_param('ii', $status, $_GET['itemId']); $stmt->execute(); $stmt->close(); } } Do I need to mysql_real_escape_string in this case or am i okay? 回答1: No, you don't have to escape value yourself (i.e. no you don't need to call mysqli_real_escape_string ) , when you are using

问题 Portion of xml file that represents the problem (the xml file has hundreds of customers record) <?xml version="1.0" encoding="utf-8"?> <test> <customer> <name>customer 1</name> <address>address 1</address> <city>city 1</city> <state>state 1</state> <zip>zip 1</zip> <phone>phone 1</phone> <buyerinfo> <shippingaddress> <name>ship to</name> <address>Ship address1</address> </shippingaddress> </buyerinfo> <shippingDetail> <saletax> <saletaxamount>2</saletaxamount> </saletax> </shippingDetail> <

问题 I am using a jQuery AJAX request to a page called like.php that connects to my database and inserts a row. This is the like.php code: <?php // Some config stuff define(DB_HOST, 'localhost'); define(DB_USER, 'root'); define(DB_PASS, ''); define(DB_NAME, 'quicklike'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die('ERROR: ' . mysql_error()); $sel = mysql_select_db(DB_NAME, $link) or die('ERROR: ' . mysql_error()); $likeMsg = mysql_real_escape_string(trim($_POST['likeMsg'])); $timeStamp

问题 I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string is the correct function to use when inserting data into MySQL tables because addslashes can cause some weird things to happen for a smart attacker. Right? However, there is one thing that is confusing me. I seem to remember being advised addslashes is better than htmlentities when echoing user-entered data back to users to protect their data, but it seems like addslashes is the one

问题 I was just wondering whether it makes a difference if I mysql_real_escape data more than once? So if I escaped data in one part of my website, and then again in another part of code. Would this be a problem? Or make a difference? 回答1: Yes. You'd get extra unnecessary backslashes. 回答2: The right place for mysql_real_escape is right before you send the query to save the data. Every other instance anywhere else in the script is a major design flaw. That should preferably in an own db-class of

问题 Is there any reason this is bad form? The only user input data on the page is // Set username and password from cookies $username = mysql_real_escape_string($_COOKIE["username"]); $password = mysql_real_escape_string($_COOKIE['password']); I am REALLY new to the idea of sanitizing. Is there any reason this is a terrible way of doing things? 回答1: NEVER, EVER store users' data in cookies! Here's what I suggest: store user's ID in cookie generate special token and hash+salt and store them in

问题 Hi I am at prototype stage with my site. I read the html purifier main page and questions about this library in this site but I am still not clear with the issue on my mind. Can you guide me please? Thanks, BR My Understanding: From the docs I have read, I understood that the best I can do is: to use mysqli_real_escape_string while inputting untrusted data into my mysql database to use html purifier library while outputting data from mysql database to sscreen as html My Questions Q1) Does my

问题 When should i use mysql_real_escape_string? Is it only when i'm inserting rows into a database? Or only when i have user input? Thanks 回答1: You should use mysql_real_escape_string() whenever you're building a query that will be run against the database. Any user input that is being used to build a database query should be run through this function. This will prevent sql injection attacks. User inputs are your big area of concern when it comes to this. 回答2: You should use mysql_real_escape