简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
Home
Article
Q&A
Course
Topic
Download
Game
Dictionary
Recent Updates

Home  >  Article  >  Backend Development  >  Introduction to the usage of mysql_real_escape_string() function in php

Introduction to the usage of mysql_real_escape_string() function in php

WBOY
WBOYOriginal
2016-07-25 08:58:13999browse
This article introduces the usage of the mysql_real_escape_string() function in PHP. Friends in need can refer to it.

Definition and usage The mysql_real_escape_string() function escapes special characters in strings used in SQL statements. The following characters are affected: x00 n r ' " x1a If successful, the function returns the escaped string. If failed, returns false.

Grammar mysql_real_escape_string(string,connection)

Parameter Description string required. Specifies the string to be escaped. connection is optional. Specifies the MySQL connection. If not specified, the previous connection is used.

Instructions This function escapes special characters in a string, taking into account the connection's current character set, and is therefore safe to use with mysql_query(). Tips and Notes

Tips: You can use this function to prevent database attacks.

Here are some examples of the mysql_real_escape_string() function for your reference.

Example 1:

<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// 获得用户名和密码的代码

// 转义用户名和密码,以便在 SQL 中使用
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);

$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"

// 更多代码
//by bbs.it-home.org
mysql_close($con);
?>

Example 2, database attack. 

<?php
/**
* 演示如果不对用户名和密码应用 mysql_real_escape_string() 函数会发生什么情况。
* edit bbs.it-home.org
*/
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);

// 不检查用户名和密码
// 可以是用户输入的任何内容,比如:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";

// 一些代码...

mysql_close($con);
?>

Then the SQL query will become like this: SELECT * FROM users WHERE user='john' AND password='' OR ''='' That is, any user can log in without entering a valid password.

Example 3:

<?php
/**
* 预防数据库攻击
* edit bbs.it-home.org
*/
function check_input($value)
{
// 去除斜杠
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// 如果不是数字则加引号
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

$con = mysql_connect("localhost", "hello", "321");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// 进行安全的 SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";

mysql_query($sql);

mysql_close($con);
?>


Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:Analysis of the differences between php functions substr(), mb_substr() and mb_strcutNext article:Analysis of the differences between php functions substr(), mb_substr() and mb_strcut

Related articles

See more