stackoom
  简体   繁体   中英

mysql_real_escape_string is not working

 原文  2014-11-09 09:18:39       php/ sql/ forms/ sql-injection

Question

I have the following action page after user submits their form data. I want to prevent SQL injection attacks so I have tried using the function mysql_real_escape_string. However, After I insert something data such as eg Field Name : My Brother's Car. The data in the database is the same, "My Brother's Car". It did not change at all or the mysql_real_escape_string got ignored?

When I display the variable name using echo with the mysql_real_escape_string, it displays "My Brother\\'s Car. However, it does not work when you insert it into the database. 

<?php
$mysqli = mysqli_connect("localhost", "hecton", "ccna", "joomladb");

if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
} else {



$id = mysql_real_escape_string($_POST['id']);  
$name = mysql_real_escape_string($_POST['name']);  
$gender = mysql_real_escape_string($_POST['gender']);  
$dateofbirth = mysql_real_escape_string($_POST['dateofbirth']);  
$placeofbirth = mysql_real_escape_string($_POST['placeofbirth']);  
$address = mysql_real_escape_string($_POST['address']);  
$schoolname = mysql_real_escape_string($_POST['schoolname']);  
$qualification = mysql_real_escape_string($_POST['qualification']);  
$skills1 = mysql_real_escape_string($_POST['skills1']);  
$skills2 = mysql_real_escape_string($_POST['skills2']);  
$awards = mysql_real_escape_string($_POST['awards']);  
$Volunteer = mysql_real_escape_string($_POST['Volunteer']);

     $query = " INSERT INTO j71mi_resumeinfo ( id, name, gender, dateofbirth, placeofbirth, address, schoolname, qualification, skills1, skills2, awards, Volunteer )  VALUES ( '$id', '$name', '$gender', '$dateofbirth', '$placeofbirth', '$address', '$schoolname', '$qualification', '$skills1', '$skills2', '$awards', '$Volunteer' ) "; 
 $result = mysqli_query($mysqli, $query); 


    if ($result === TRUE) {
        echo "A record has been successfully inserted into the database!."; 
        echo "<b><h1><center>My Resume</h1></b></center>";

        echo "<div style='font-size: large; font-family: sans-serif'>
              <p style='color: white; background-color: black'>Personal Details</p></div>";
              echo "<br>";


        echo "<b>Name:</b>".($_POST['name']); 
                echo "<br>";
        echo "<b>Gender:</b>".$_POST['gender'];
                echo "<br>";
        echo "<b>Date of Birth:</b>".$_POST['dateofbirth'];
                echo "<br>";
        echo "<b>Place of Birth:</b>".$_POST['placeofbirth'];
                echo "<br>";
        echo "<b>Home Address:</b>".$_POST['address'];
        echo "<div style='font-size: large; font-family: sans-serif'>
              <p style='color: white; background-color: black'>Educational Details</p></div>";
              echo "<br>";
        echo "<b>School Name:</b>".$_POST['schoolname'];
                echo "<br>";
        echo "<b>Qualification(s):</b>".$_POST['qualification'];
                echo "<br>";
        echo "<b>Skill 1:</b>".$_POST['skills1'];
                echo "<br>";
                if(!empty($_POST['skills2']) and isset($_POST['skills2'])){
        echo "<b>Skill 2:</b>".$_POST['skills2'];
                echo "<br>";
                }
                if(!empty($_POST['awards']) || !empty($_POST['Volunteer'])){
                echo "<div style='font-size: large; font-family: sans-serif'>
              <p style='color: white; background-color: black'>Other Details</p></div>";
              echo "<br>";
              }
              if(!empty($_POST['awards']) and isset($_POST['awards'])){
              echo "<b>Award(s):</b>".$_POST['awards'];

                echo "<br>";
                }
                if(!empty($_POST['Volunteer']) and isset($_POST['Volunteer'])){
        echo "<b>Volunteer Activity:</b>".$_POST['Volunteer'];
        echo "<br>";
        }

        echo "<br>";
        echo "<b><h5><center>End of Resume</h5></b></center>";



    } else {
        printf("Could not insert record: %s\n", mysqli_error($mysqli));
    }

    mysqli_close($mysqli);
}
?>

1 answers

solution1
 2 ACCPTED  2014-11-09 09:24:24

The data was actually escaped.

When you look at the data in the database, the fact that it exists there means it was escaped -- it is only escaped so it isn't accepted as a character within the query. Once it is inside the database, it is treated as part of the data .

For example, INSERT INTO table VALUES ('My brother\\'s car'); will insert My brother's car into the database. Since ' is a reserved character in MySQL, it is not treated as part of the query but part of the dataset, a "valid" single quote rather than a "begin value section" character.

Note: don't use mysql_real_escape_string when using mysqli_ functions. It has its own equivalent .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysql_real_escape_string() not working in cakePHP mysql_real_escape_string not working? mysql_real_escape_string function not working mysql_real_escape_string not working mysql_real_escape_string($value) not working mysql_real_escape_string not working on windows mysql_real_escape_string and ’ mysql_real_escape_string working perfectly in localhost, not working online mysql_real_escape_string does not escape " Why isn't mysql_real_escape_string working?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM