what does mysql real escape string really do

Question

One thing that I hate about documentation at times  when you re a beginner  is how it doesn t really describe things in english  Would anyone mind translating this documentation for me  I d like to know how exactly this makes things harder for a hacker to insert characters   http   php net manual en function mysql-real-escape-string php  Also  if this is the case  how would a hacker try to insert characters

User · Answer

Best explained here   http   www w3schools com php func mysql real escape string asp http   www tizag com mysqlTutorial mysql-php-sql-injection php  It generally it helps to avoid SQL injection  for example consider the following code   lt  php    Query database to check if there are any matching users  query    quot SELECT   FROM users WHERE user     POST  username     AND password     POST  password     quot   mysql query  query       We didn t check   POST  password    it could be anything the user wanted  For example    POST  username      aidan     POST  password      quot   OR      quot       This means the query sent to MySQL would be  echo  query    gt   and a hacker can send a query like   SELECT   FROM users WHERE user  aidan  AND password    OR        This would allow anyone to log in without a valid password

User · Answer

The mysqli real escape string   function escapes special characters in a string for use in an SQL statement

User · Answer

Say you want to save the string I m a  foobar  in the database  Your query will look something like INSERT INTO foos  text  VALUES    text    With the  text variable replaced  this will look like this   INSERT INTO foos  text  VALUES   I m a  foobar      Now  where exactly does the string end  You may know  an SQL parser doesn t  Not only will this simply break this query  it can also be abused to inject SQL commands you didn t intend   mysql real escape string makes sure such ambiguities do not occur by escaping characters which have special meaning to an SQL parser     mysql real escape string  text     gt   I  m a   foobar     This becomes   INSERT INTO foos  text  VALUES   I  m a   foobar       This makes the statement unambiguous and safe  The   signals that the following character is not to be taken by its special meaning as string terminator  There are a few such characters that mysql real escape string takes care of   Escaping is a pretty universal thing in programming languages BTW  all along the same lines  If you want to type the above sentence literally in PHP  you need to escape it as well for the same reasons    text    I  m a  foobar       or  text    I m a   foobar

User · Answer

PHP   s mysql real escape string function is only a wrapper for MySQL   s mysql real escape string function  It basically prepares the input string to be safely used in a MySQL string declaration by escaping certain characters so that they can   t be misinterpreted as a string delimiter or an escape sequence delimiter and thereby allow certain injection attacks   The real in mysql real escape string in opposite to mysql escape string is due to the fact that it also takes the current character encoding into account as the risky characters are not encoded equally in the different character encodings  But you need to specify the character encoding change properly in order to get mysql real escape string work properly

User · Answer

The mysql real escape string   helps you escape special characters such as single quote etc that users may submit to your script  You need to escape such characters because that comes in handy when you want to avoid SQL Injection   I would sugggest you to check out   mysql real escape string   versus Prepared Statements  To be on much safer side  you need to go for Prepared Statements instead as demonstrated through above article

User · Answer

The function adds an escape character  the backslash     before certain potentially dangerous characters in a string passed in to the function  The characters escaped are       x00   n   r          and  x1a     This can help prevent SQL injection attacks which are often performed by using the   character to append malicious code to an SQL query

[php] what does mysql_real_escape_string() really do?

Examples related to php

Examples related to mysql