Home  >  Article  >  php教程  >  php mysql_real_escape_string function usage and example tutorial_php basics

php mysql_real_escape_string function usage and example tutorial_php basics

WBOY
WBOYOriginal
2016-05-16 08:59:592810browse

Escape special characters in unescaped_string, taking into account the current character's connection settings so that it is safe in place in mysql_query() it. If binary data is to be inserted, this function must be used

The following characters are affected:

  • \x00
  • \n
  • \r
  • \
  • '
  • "
  • \x1a

If successful, this function returns the escaped string. If failed, returns false.

Syntax

mysql_real_escape_string(string,connection)
Parameters Description
string Required. Specifies the string to be escaped.
connection Optional. Specifies the MySQL connection. If not specified, the previous connection is used.

Description

This function escapes special characters in a string and takes into account the current character set of the connection, so it is safe to use with mysql_query().

Tips and Notes

Tip: You can use this function to prevent database attacks.

Example

Example 1

Copy code The code is as follows:

$con = mysql_connect( "localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

//Get the code for username and password

//Escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);

$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"

//More codes

mysql_close($con);
?>

Example 2
Database attack. This example shows what happens if we don't apply the mysql_real_escape_string() function to the username and password:

Copy code The code is as follows:

$con = mysql_connect( "localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);

//Do not check username and password
// Can be anything entered by the user, for example:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";

//Some code...

mysql_close($con);
?>

Then the SQL query will become like this:

SELECT * FROM users
WHERE user='john' AND password='' OR ''='' This means that any user can log in without entering a valid password.

Example 3
Correct ways to prevent database attacks:

Copy code The code is as follows:

function check_input($value )
{
// Remove slashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// If not a number Then add quotation marks
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}

$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error()) ;
}

// Perform secure SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = " SELECT * FROM users WHERE
user=$user AND password=$pwd";

mysql_query($sql);

mysql_close($con);
?>

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn