Jump to content

mysql_escape_string


astralaaron
 Share

Recommended Posts

mysql_real_escape_string() is better.Basically, it escapes to any character that could terminate a string or otherwise confuse the MySQL engine. So, if you had a query that looked like

$result = mysql_query("SELECT * FROM users WHERE username=\"{$_POST['username']}\" AND password=\"" . sha1($_POST['password']) . "\"");

then without mysql_real_escape_string(), someone could enter in (e.g., through a form) the username =

" OR true#

(# = MySQL comment delimiter).Then your query would look like

SELECT * FROM users WHERE username="" OR true#" AND password=""

Thereby compromising your system as they would be able to login without entering even a correct username. mysql_real_escape_string() would escape the " and the # in the username string, thereby preventing people from "injecting" SQL into your script's queries.

$username = mysql_real_escape_string($_POST['username']);$password = sha1($_POST['password']); //I hope you hash your passwords; no need to escape a hash$result = mysql_query("SELECT * FROM users WHERE username=\"$username\" AND password=\"$password\"");

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...