SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Guru
    Join Date
    Sep 2008
    Location
    Dubai
    Posts
    971
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    why use mysql_real_escape_string ?

    why we use it when coding registration

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,875
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    It is used to escape those special characters that would otherwise change the meaning of an SQL command for example the strings inside an SQL query are enclosed in single quotes and so any single quotes in the text need to be escaped as otherwise the first single quote will end the text and the rest of the text will be interpreted as SQL. This is how many databases where the code isn't written properly are broken into since they can use it to add OR 1=1 to the end of the query and so have it run even if other criteria is not met.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Guru
    Join Date
    Sep 2008
    Location
    Dubai
    Posts
    971
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    understood

  4. #4
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    To put an example to felgall's explanation:
    PHP Code:
    <?php
    $username 
    "' or '1' = '1";
    $query "SELECT id FROM users WHERE username = '{$username}'";
    echo 
    '<p><b>Unescaped Query:</b> ' $query '</p>';
    $username mysql_real_escape_string($username);
    $query "SELECT id FROM users WHERE username = '{$username}'";
    echo 
    '<p><b>Escaped Query:</b> ' $query '</p>';
    Run that query in PHPMyAdmin - it will fetch everything (because for each row, '1' == '1')
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •