search
HomeBackend DevelopmentPHP TutorialThe difference between PHP function addslashes and mysql_real_escape_string_PHP tutorial

First of all: don't use mysql_escape_string, it is deprecated, use mysql_real_escape_string instead.

The difference between mysql_real_escape_string and addslashes is:

Difference 1:

addslashes does not know anything about the character set of the MySQL connection. If you pass a string containing a byte encoding other than the MySQL connection you are using, it will happily escape all bytes whose values ​​are the characters ', ", and x00. If you are using Unlike other characters in 8-bit and UTF-8, the values ​​of these bytes are not necessarily all represented by the characters ', ", and x00. The possible result is that an error occurs after MySQL receives these characters.

If you want to fix this bug, you can try using the iconv function to convert the variable to UTF-16, and then use addslashes to escape.

This is one of the reasons not to use addslashes for escaping.

Difference 2:

Compared with addslashes, mysql_real_escape_string also escapes r, n and x1a. It seems that these characters must be told to MySQL correctly, otherwise you will get wrong query results.

This is another reason not to use addslashes for escaping.

addslashes V.S. mysql_real_escape_string

In GBK, 0xbf27 is not a legal multi-character character, but 0xbf5c is. In a single-byte environment, 0xbf27 is treated as 0xbf followed by 0x27(‘), while 0xbf5c is treated as 0xbf followed by 0x5c().

A single quote escaped with a backslash cannot effectively prevent SQL injection attacks against MySQL. If you use addslashes, then I (the attacker, the same below) is very lucky. I just inject something like 0xbf27, and then addslashes it to 0xbf5c27, a legal multibyte character followed by a single quote. In other words, I can successfully inject a single quote regardless of your escaping. This is because 0xbf5c is treated as a single-byte character, not a double-byte character.

In this demonstration, I will be using MySQL 5.0 and the mysqli extension for PHP. If you want to try it, make sure you use GBK.

Create a table named users:

Copy code The code is as follows:

CREATE TABLE users(
username VARCHAR(32) CHARACTER SET GBK,
password VARCHAR(32) CHARACTER SET GBK,
PRIMARY KEY(username)
);

The following code simulates using only addslashes (or magic_quotes_gpc ) When escaping query data:
Copy code The code is as follows:

$mysql = array();
$db = mysqli_init();
$db->real_connect('localhost', 'lorui', 'lorui.com', 'lorui_db');
/ *SQL injection example*/
$_POST['username'] = chr(0xbf) . chr(0×27) . ' OR username = username /*'; $_POST['password'] = 'guess'; $mysql['username'] = addslashes($_POST['username']); $mysql['password'] = addslashes($_POST['password']); $sql = "SELECT * FROM users WHERE username = ' {$mysql['username']}' AND password = '{$mysql['password']}'"; $result = $db->query($sql); if ($result->num_rows) { /* Success*/ } else { /* Failure*/ }

Despite using addslashes, I can successfully log in without knowing my username and password. I can easily exploit this vulnerability to perform SQL injection.

To avoid this vulnerability, use mysql_real_escape_string, prepared statements (Prepared Statements, "parameterized queries"), or any mainstream database abstraction library.

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/759336.htmlTechArticleFirst of all: don't use mysql_escape_string, it has been deprecated, use mysql_real_escape_string instead. The difference between mysql_real_escape_string and addslashes is: Difference 1: adds...
Statement
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
How does PHP identify a user's session?How does PHP identify a user's session?May 01, 2025 am 12:23 AM

PHPidentifiesauser'ssessionusingsessioncookiesandsessionIDs.1)Whensession_start()iscalled,PHPgeneratesauniquesessionIDstoredinacookienamedPHPSESSIDontheuser'sbrowser.2)ThisIDallowsPHPtoretrievesessiondatafromtheserver.

What are some best practices for securing PHP sessions?What are some best practices for securing PHP sessions?May 01, 2025 am 12:22 AM

The security of PHP sessions can be achieved through the following measures: 1. Use session_regenerate_id() to regenerate the session ID when the user logs in or is an important operation. 2. Encrypt the transmission session ID through the HTTPS protocol. 3. Use session_save_path() to specify the secure directory to store session data and set permissions correctly.

Where are PHP session files stored by default?Where are PHP session files stored by default?May 01, 2025 am 12:15 AM

PHPsessionfilesarestoredinthedirectoryspecifiedbysession.save_path,typically/tmponUnix-likesystemsorC:\Windows\TemponWindows.Tocustomizethis:1)Usesession_save_path()tosetacustomdirectory,ensuringit'swritable;2)Verifythecustomdirectoryexistsandiswrita

How do you retrieve data from a PHP session?How do you retrieve data from a PHP session?May 01, 2025 am 12:11 AM

ToretrievedatafromaPHPsession,startthesessionwithsession_start()andaccessvariablesinthe$_SESSIONarray.Forexample:1)Startthesession:session_start().2)Retrievedata:$username=$_SESSION['username'];echo"Welcome,".$username;.Sessionsareserver-si

How can you use sessions to implement a shopping cart?How can you use sessions to implement a shopping cart?May 01, 2025 am 12:10 AM

The steps to build an efficient shopping cart system using sessions include: 1) Understand the definition and function of the session. The session is a server-side storage mechanism used to maintain user status across requests; 2) Implement basic session management, such as adding products to the shopping cart; 3) Expand to advanced usage, supporting product quantity management and deletion; 4) Optimize performance and security, by persisting session data and using secure session identifiers.

How do you create and use an interface in PHP?How do you create and use an interface in PHP?Apr 30, 2025 pm 03:40 PM

The article explains how to create, implement, and use interfaces in PHP, focusing on their benefits for code organization and maintainability.

What is the difference between crypt() and password_hash()?What is the difference between crypt() and password_hash()?Apr 30, 2025 pm 03:39 PM

The article discusses the differences between crypt() and password_hash() in PHP for password hashing, focusing on their implementation, security, and suitability for modern web applications.

How can you prevent Cross-Site Scripting (XSS) in PHP?How can you prevent Cross-Site Scripting (XSS) in PHP?Apr 30, 2025 pm 03:38 PM

Article discusses preventing Cross-Site Scripting (XSS) in PHP through input validation, output encoding, and using tools like OWASP ESAPI and HTML Purifier.

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

SAP NetWeaver Server Adapter for Eclipse

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!

mPDF

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment