Home >Backend Development >PHP Tutorial >php mysql_real_escape_string function usage and example tutorial_PHP tutorial

php mysql_real_escape_string function usage and example tutorial_PHP tutorial

WBOY
WBOYOriginal
2016-07-21 16:13:29943browse

Escape special characters in unescaped_string, taking into account the current character's connection settings so that it is safe in place in mysql_query() it. If binary data is to be inserted, this function must be used

The following characters are affected:

  • x00
  • n
  • r
  • '
  • "
  • x1a

If successful, the function returns the escaped string. If failed, returns false.

Grammar

mysql_real_escape_string(string,connection)
参数 描述
string 必需。规定要转义的字符串。
connection 可选。规定 MySQL 连接。如果未规定,则使用上一个连接。

Description

This function escapes special characters in a string and takes into account the current character set of the connection, so it is safe to use with mysql_query().

Tips and Notes

Tip: You can use this function to prevent database attacks.

Example

Example 1

Copy code The code is as follows:

$con = mysql_connect("localhost", "hello ", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

// Code to get username and password

// Escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);

$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"

//More codes

mysql_close($con);
?>

Example 2
Database attack. This example shows what happens if we don't apply the mysql_real_escape_string() function to the username and password:

Copy code The code is as follows:

$con = mysql_connect("localhost", "hello ", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);

// Does not check username and password
// Can be anything entered by the user, such as:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";

// Some code...

mysql_close($con);
?>

Then the SQL query will look like this:

SELECT * FROM users
WHERE user='john' AND password='' OR ''='' This means that any user can log in without entering a valid password.

Example 3
Correct way to prevent database attacks:

Copy code The code is as follows:

function check_input($value)
{
// Remove slashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// If not a number, add quotes
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}

$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error()) ;
}

// Perform secure SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = " SELECT * FROM users WHERE
user=$user AND password=$pwd";

mysql_query($sql);

mysql_close($con);
?>

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/313495.htmlTechArticleEscape special characters in unescaped_string, taking into account the current character's connection settings so that it is safe in place mysql_query() it. If binary data is to be inserted, this function...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn