Home >Backend Development >PHP Tutorial >A note on PHP mysql_real_escape_string_PHP tutorial

A note on PHP mysql_real_escape_string_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 10:33:471137browse

The mysql_real_escape_string() function escapes special characters in strings used in SQL statements.

The following characters are affected:

  • x00
  • n
  • r
  • '
  • "
  • x1a

If successful, the function returns the escaped string. If failed, returns false.

Usage is mysql_real_escape_string(string,connection)

  • Parameter string, required. Specifies the string to be escaped.
  • Parameter connection, optional. Specifies the MySQL connection. If not specified, the previous connection is used.

This function escapes special characters in a string and takes into account the current character set of the connection, so it is safe to use with mysql_query(). Use this function to prevent database attacks.

Simple use of mysql_real_escape_string()

<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
	die('Could not connect: ' . mysql_error());
}
// 获得用户名和密码的代码
// 转义用户名和密码,以便在 SQL 中使用
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
// 更多代码
mysql_close($con);
?>

SQL injection situation (mysql_real_escape_string() is not used)

Database attack. This example shows what happens if we don't apply the mysql_real_escape_string() function to the username and password:

<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
	die('Could not connect: ' . mysql_error());
}
$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);
// 不检查用户名和密码
// 可以是用户输入的任何内容,比如:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";
// 一些代码...
mysql_close($con);
?>

Then the SQL query will look like this:

SELECT * FROM users
WHERE user='john' AND password='' OR ''=''

This means that any user can log in without entering a valid password.

Correct ways to prevent database attacks:

<?php
function check_input($value)
{
	// 去除斜杠
	if (get_magic_quotes_gpc())
  	{
  		$value = stripslashes($value);
  	}
	// 如果不是数字则加引号
	//if (!is_numeric($value))
  	//{
  		$value = mysql_real_escape_string($value);
  	//}
	return $value;
}
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
	die('Could not connect: ' . mysql_error());
}
// 进行安全的 SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>

Some experience

mysql_escape_string() also has a similar effect. Regarding these two functions, I remember that when I used the mysql_real_escape_string() function, the program always made errors, and I didn’t know the cause of the errors. Later, when I changed to the mysql_escape_string() function, it worked. Searching the manual, I found that when using mysql_real_escape_string(), a database connection must be established first, otherwise an error will be reported -___-|||

mysql_real_escape_string() calls MySQL's library function mysql_escape_string, which prepends backslashes to the following characters: NULL, x00, n, r, , ', " and x1a

mysql_escape_string() does not escape % and _.

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.

<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
 OR die(mysql_error());
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
 mysql_real_escape_string($user),
 mysql_real_escape_string($password));
?>

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/752406.htmlTechArticlemysql_real_escape_string() function escapes special characters in strings used in SQL statements. The following characters are affected: x00 n r ' x1a If successful, the function returns the escaped character...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn