I have the following action page after user submits their form data. I want to prevent SQL injection attacks so I have tried using the function mysql_real_escape_string. However, After I insert something data such as eg Field Name : My Brother's Car. The data in the database is the same, "My Brother's Car". It did not change at all or the mysql_real_escape_string got ignored?
When I display the variable name using echo with the mysql_real_escape_string, it displays "My Brother\\'s Car. However, it does not work when you insert it into the database.
<?php
$mysqli = mysqli_connect("localhost", "hecton", "ccna", "joomladb");
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
} else {
$id = mysql_real_escape_string($_POST['id']);
$name = mysql_real_escape_string($_POST['name']);
$gender = mysql_real_escape_string($_POST['gender']);
$dateofbirth = mysql_real_escape_string($_POST['dateofbirth']);
$placeofbirth = mysql_real_escape_string($_POST['placeofbirth']);
$address = mysql_real_escape_string($_POST['address']);
$schoolname = mysql_real_escape_string($_POST['schoolname']);
$qualification = mysql_real_escape_string($_POST['qualification']);
$skills1 = mysql_real_escape_string($_POST['skills1']);
$skills2 = mysql_real_escape_string($_POST['skills2']);
$awards = mysql_real_escape_string($_POST['awards']);
$Volunteer = mysql_real_escape_string($_POST['Volunteer']);
$query = " INSERT INTO j71mi_resumeinfo ( id, name, gender, dateofbirth, placeofbirth, address, schoolname, qualification, skills1, skills2, awards, Volunteer ) VALUES ( '$id', '$name', '$gender', '$dateofbirth', '$placeofbirth', '$address', '$schoolname', '$qualification', '$skills1', '$skills2', '$awards', '$Volunteer' ) ";
$result = mysqli_query($mysqli, $query);
if ($result === TRUE) {
echo "A record has been successfully inserted into the database!.";
echo "<b><h1><center>My Resume</h1></b></center>";
echo "<div style='font-size: large; font-family: sans-serif'>
<p style='color: white; background-color: black'>Personal Details</p></div>";
echo "<br>";
echo "<b>Name:</b>".($_POST['name']);
echo "<br>";
echo "<b>Gender:</b>".$_POST['gender'];
echo "<br>";
echo "<b>Date of Birth:</b>".$_POST['dateofbirth'];
echo "<br>";
echo "<b>Place of Birth:</b>".$_POST['placeofbirth'];
echo "<br>";
echo "<b>Home Address:</b>".$_POST['address'];
echo "<div style='font-size: large; font-family: sans-serif'>
<p style='color: white; background-color: black'>Educational Details</p></div>";
echo "<br>";
echo "<b>School Name:</b>".$_POST['schoolname'];
echo "<br>";
echo "<b>Qualification(s):</b>".$_POST['qualification'];
echo "<br>";
echo "<b>Skill 1:</b>".$_POST['skills1'];
echo "<br>";
if(!empty($_POST['skills2']) and isset($_POST['skills2'])){
echo "<b>Skill 2:</b>".$_POST['skills2'];
echo "<br>";
}
if(!empty($_POST['awards']) || !empty($_POST['Volunteer'])){
echo "<div style='font-size: large; font-family: sans-serif'>
<p style='color: white; background-color: black'>Other Details</p></div>";
echo "<br>";
}
if(!empty($_POST['awards']) and isset($_POST['awards'])){
echo "<b>Award(s):</b>".$_POST['awards'];
echo "<br>";
}
if(!empty($_POST['Volunteer']) and isset($_POST['Volunteer'])){
echo "<b>Volunteer Activity:</b>".$_POST['Volunteer'];
echo "<br>";
}
echo "<br>";
echo "<b><h5><center>End of Resume</h5></b></center>";
} else {
printf("Could not insert record: %s\n", mysqli_error($mysqli));
}
mysqli_close($mysqli);
}
?>
The data was actually escaped.
When you look at the data in the database, the fact that it exists there means it was escaped -- it is only escaped so it isn't accepted as a character within the query. Once it is inside the database, it is treated as part of the data .
For example, INSERT INTO table VALUES ('My brother\\'s car');
will insert My brother's car
into the database. Since '
is a reserved character in MySQL, it is not treated as part of the query but part of the dataset, a "valid" single quote rather than a "begin value section" character.
Note: don't use mysql_real_escape_string
when using mysqli_
functions. It has its own equivalent .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.