php mysql_real_escape_string function usage and example tutorial_php basics
- WBOYOriginal
- 2016-05-16 08:59:592810browse
Escape special characters in unescaped_string, taking into account the current character's connection settings so that it is safe in place in mysql_query() it. If binary data is to be inserted, this function must be used
The following characters are affected:
- \x00
- \n
- \r
- \
- '
- "
- \x1a
If successful, this function returns the escaped string. If failed, returns false.
Syntax
mysql_real_escape_string(string,connection)
| Parameters | Description |
|---|---|
| string | Required. Specifies the string to be escaped. |
| connection | Optional. Specifies the MySQL connection. If not specified, the previous connection is used. |
Description
This function escapes special characters in a string and takes into account the current character set of the connection, so it is safe to use with mysql_query().
Tips and Notes
Tip: You can use this function to prevent database attacks.
Example
Example 1
$con = mysql_connect( "localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
//Get the code for username and password
//Escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
//More codes
mysql_close($con);
?>
Example 2
Database attack. This example shows what happens if we don't apply the mysql_real_escape_string() function to the username and password:
$con = mysql_connect( "localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);
//Do not check username and password
// Can be anything entered by the user, for example:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";
//Some code...
mysql_close($con);
?>
Then the SQL query will become like this:
SELECT * FROM users
WHERE user='john' AND password='' OR ''='' This means that any user can log in without entering a valid password.
Example 3
Correct ways to prevent database attacks:
function check_input($value )
{
// Remove slashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// If not a number Then add quotation marks
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error()) ;
}
// Perform secure SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = " SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>