The mysql_real_escape_string () function escapes special characters in strings used in SQL statements.
The following characters are affected:
If yes, the function returns the escaped string. If it fails, false is returned.
Use mysql_real_escape_string (string, connection)
- The string parameter, required. Specifies the string to be escaped.
- The connection parameter. Optional. MySQL connection is required. If not specified, use the previous connection.
This function escapes special characters in string and considers the connected current character set. Therefore, it can be safely used for mysql_query (). This function is used to prevent database attacks.
Simple use of mysql_real_escape_string ()
<? Php $ con = mysql_connect ("localhost", "hello", "321"); if (! $ Con) {die ('could not connect :'. mysql_error ();} // code for obtaining the user name and password // escape the user name and password to use $ user = mysql_real_escape_string ($ user) in SQL ); $ pwd = mysql_real_escape_string ($ pwd); $ SQL = "SELECT * FROM users WHEREuser = '". $ user. "'AND password = '". $ pwd. "'" // more code mysql_close ($ con);?>
SQL Injection (mysql_real_escape_string () is not used ())
Database attacks. This example shows what will happen if we do not apply the mysql_real_escape_string () function to the user name and password:
<? Php $ con = mysql_connect ("localhost", "hello", "321"); if (! $ Con) {die ('could not connect :'. mysql_error ());} $ SQL = "SELECT * FROM usersWHERE user = '{$ _ POST ['user']}' AND password = '{_ _ POST ['pwd']}'"; mysql_query ($ SQL); // do not check the user name and password. // It can be any content entered by the user, for example: $ _ POST ['user'] = 'john '; $ _ POST ['pwd'] = "'OR'' =' "; // some code... mysql_close ($ con);?>
The SQL query will be like this:
SELECT * FROM usersWHERE user='john' AND password='' OR ''=''
This means that any user can log on without entering a valid password.
The correct method to prevent database attacks:
<? Phpfunction check_input ($ value) {// remove the slash if (get_magic_quotes_gpc () {$ value = stripslashes ($ value );} // if it is not a number, enclose it with quotation marks. // if (! Is_numeric ($ value) // {$ value = mysql_real_escape_string ($ value); //} return $ value ;}$ con = mysql_connect ("localhost", "hello ", "321"); if (! $ Con) {die ('could not connect :'. mysql_error ();} // perform security SQL $ user = check_input ($ _ POST ['user']); $ pwd = check_input ($ _ POST ['pwd']); $ SQL = "SELECT * FROM users WHEREuser = $ user AND password = $ pwd"; mysql_query ($ SQL ); mysql_close ($ con);?>
Some experiences
Mysql_escape_string () also achieves similar results. For these two functions, remember that when I use the mysql_real_escape_string () function, the program always fails and I don't know the cause of the error. Then I changed it to the mysql_escape_string () function. Find the manual and find that when mysql_real_escape_string () is used, you must first establish a database connection; otherwise, the error-___-|
Mysql_real_escape_string () CILS MySQL's library function mysql_escape_string, which prepends backslashes to the following characters: NULL, x00, n, r, ', "and x1a
Mysql_escape_string () does not escape % and _.
This function is identical to mysql_real_escape_string () handle t that mysql_real_escape_string () takes a connection handler and escapes the string according to the current character set. mysql_escape_string () does not take a connection argument and does not respect the current charset setting.
<?php// Connect$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error());// Query$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password));?>