Home > Backend Development > PHP Tutorial > Introduction to the usage of mysql_real_escape_string() function in php

Introduction to the usage of mysql_real_escape_string() function in php

WBOY
Release: 2016-07-25 08:58:13
Original
1035 people have browsed it
This article introduces the usage of the mysql_real_escape_string() function in PHP. Friends in need can refer to it.

Definition and usage The mysql_real_escape_string() function escapes special characters in strings used in SQL statements. The following characters are affected: x00 n r ' " x1a If successful, the function returns the escaped string. If failed, returns false.

Grammar mysql_real_escape_string(string,connection)

Parameter Description string required. Specifies the string to be escaped. connection is optional. Specifies the MySQL connection. If not specified, the previous connection is used.

Instructions This function escapes special characters in a string, taking into account the connection's current character set, and is therefore safe to use with mysql_query(). Tips and Notes

Tips: You can use this function to prevent database attacks.

Here are some examples of the mysql_real_escape_string() function for your reference.

Example 1:

<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// 获得用户名和密码的代码

// 转义用户名和密码,以便在 SQL 中使用
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);

$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"

// 更多代码
//by bbs.it-home.org
mysql_close($con);
?>
Copy after login

Example 2, database attack.

<?php
/**
* 演示如果不对用户名和密码应用 mysql_real_escape_string() 函数会发生什么情况。
* edit bbs.it-home.org
*/
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);

// 不检查用户名和密码
// 可以是用户输入的任何内容,比如:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";

// 一些代码...

mysql_close($con);
?>
Copy after login

Then the SQL query will become like this: SELECT * FROM users WHERE user='john' AND password='' OR ''='' That is, any user can log in without entering a valid password.

Example 3:

<?php
/**
* 预防数据库攻击
* edit bbs.it-home.org
*/
function check_input($value)
{
// 去除斜杠
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// 如果不是数字则加引号
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

$con = mysql_connect("localhost", "hello", "321");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// 进行安全的 SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";

mysql_query($sql);

mysql_close($con);
?>
Copy after login


source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template