Menu
One thing that I hate about documentation at times (when you're a beginner) is how it doesn't really describe things in english. Would anyone mind translating this documentation for me? I'd like to know how exactly this makes things harder for a hacker to insert characters.
http://php.net/manual/en/function.mysql-real-escape-string.php
Also, if this is the case, how would a hacker try to insert characters?
372
Definition and Usage. The real_escape_string() / mysqli_real_escape_string() function escapes special characters in a string for use in an SQL query, taking into account the current character set of the connection.
mysql_real_escape_string ALONE can prevent nothing. Moreover, this function has nothing to do with injections at all. Whenever you need escaping, you need it despite of "security", but just because it is required by SQL syntax. And where you don't need it, escaping won't help you even a bit.
mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet).
mysql_real_escape_string is safe to use if used properly (ie, everywhere you're inserting PHP variables into your queries), but as has been pointed out in the comments it's not the only thing you need to worry about. For example, HTML markup could be inserted into your DB and used for Cross Site Scripting attacks.
The function adds an escape character, the backslash, \, before certain potentially dangerous characters in a string passed in to the function. The characters escaped are
\x00, \n, \r, \, ', " and \x1a.
This can help prevent SQL injection attacks which are often performed by using the ' character to append malicious code to an SQL query.
51
Say you want to save the string I'm a "foobar" in the database.
Your query will look something like INSERT INTO foos (text) VALUES ("$text").
With the $text variable replaced, this will look like this:
INSERT INTO foos (text) VALUES ("I'm a "foobar"") Now, where exactly does the string end? You may know, an SQL parser doesn't. Not only will this simply break this query, it can also be abused to inject SQL commands you didn't intend.
mysql_real_escape_string makes sure such ambiguities do not occur by escaping characters which have special meaning to an SQL parser:
mysql_real_escape_string($text) => I\'m a \"foobar\" This becomes:
INSERT INTO foos (text) VALUES ("I\'m a \"foobar\"") This makes the statement unambiguous and safe. The \ signals that the following character is not to be taken by its special meaning as string terminator. There are a few such characters that mysql_real_escape_string takes care of.
Escaping is a pretty universal thing in programming languages BTW, all along the same lines. If you want to type the above sentence literally in PHP, you need to escape it as well for the same reasons:
$text = 'I\'m a "foobar"'; // or $text = "I'm a \"foobar\""; If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
