php - What's the use of mysqli_real_escape_string in case of ' / ' and ' \ ' and ' ' '? -


this question has answer here:

whats use of mysqli_real_escape_string if user inputs 

/  \  '

in input field ?

are harmful ?

and if , what's harm ?

the risk of ' character literal quote character in input can prematurely close quoted string in sql expression. example:

update users set password = '$pass' userid = $id

this assumes $input safe within string. if pass url this:

http://example.com/setpassword.php?id=1234&pass=xyzzy', admin='1

i can trick code doing this:

update users set password = 'xyzzy' , admin='1' userid = 1234

giving myself admin privileges.

the purpose of functions mysqli_real_escape_string() prevent that, ensuring literal quote characters not used terminate string in input copied.

so worst set password long, strange string:

update users set password = 'xyzzy\' , admin=1' userid = 1234

it's more convenient bind input variables query using parameter placeholders, instead of copying them directly string.

<?php  $stmt = $mysqli->prepare("update users set password = ? userid = ?"); $stmt->bind_param("si", $pass, $id); $stmt->execute();

that way don't have worry escaping, or imbalanced quotes. makes code nicer, easier read, , easier debug , maintain.

the drawback parameters take place of scalar value only. can't use them insert dynamic table names, column names, expressions, sql keywords, etc. put string literal, date literal, or numeric literal in sql code.


Comments

Post a Comment

Popular posts from this blog

php - Calling a template part from a post -

i include iframe within post in wordpress. located inside content of post, meaning cannot in post template file, otherwise either before or after. i'd add facebook plugin within posts: <div id="socialwrap"><div class="fb-like" data-href="http://onlinearizonahomes.info" data-send="true" data-width="450" data-show-faces="true" data-font="arial"></div></div> i thinking of calling template part within post <?php get_template_part( 'social' ); ?> cannot use php within post without plugin (i'd avoid using plugin this). an alternative using javascript create html in post, seems unnecessary use of javascript. what best way add html within wordpress post? you can use shortcode. add functions.php function cudjex_fbshare( $atts, $content = null ) { global $post; $link = get_permalink($post->id); return '<div id="socialwrap...
Read more

Firefox SVG shape not printing when it has stroke -

Image
i having issue svg shapes have stroke , trying them print in firefox. this simplest example: <svg xmlns="http://www.w3.org/2000/svg" version="1.1" xmlns:xlink="http://www.w3.org/1999/xlink"> <rect x="0" y="0" rx="15" ry="15" width="300" height="400" style="stroke:black;stroke-width:5;" fill="black" /> <circle id="firstcircle" cx="50" cy="50" r="30" stroke="black" stroke-width="2" fill="white" style="opacity:0.75;"/> <circle id="secondcircle" cx="50" cy="150" r="30" fill="white" style="opacity:0.75;"/> </svg> when try , print first shape 1 of 2 things: it not show @ all it shows off center in bounding box. the second shape no stroke shows expected, expected. when displaying on scre...
Read more

How to mention the localhost in android -

i trying call localhost in android application. unfortunately not possible used several methods emulator local host http://10.0.2.2/android/dbconnection.php and network ip address http://192.168.1.xx/android/dbconnection.php also http://localhost:8080/android/dbconnection.php but nothing connected localhost. purpose refer stackoverflow answers not working i facing same problem when worked on localhost. referred stackoverflow answer got solution create new emulator works fine in new emulator.
Read more