stackoom
  简体   繁体   中英

Is it necessary to use mysql_real_escape_string() for image into mysql?

 原文  2012-01-04 05:03:41       php/ mysql/ sql/ image/ mysql-real-escape-string

Question

For example: 

    $data = file_get_contents($_FILES['image']['tmp_name']);
    $data = mysql_real_escape_string($data);
    mysql_query("INSERT INTO table set image='$data'....

Is this a correct way to stick with?

2 answers

solution1
 6  2012-01-04 05:08:24

You could do a base64_encode to keep the integrity of your data, and assure that you will not have problems with characters of any kind, actually it is a very common way to keep and transfer data. And to get it back use base64_decode .

solution2
 0 ACCPTED  2012-01-04 05:10:15

I would recommend keeping it unless there is a reason to remove it, as its a good way to prevent sql injection. See here: http://php.net/manual/en/function.mysql-real-escape-string.php .

It is probably possible to do sql injection through an image that a user could upload or a client could accidentally use.

A reason not to use it could be performance. I would tend to recommend security over performance.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question When to use mysql_real_escape_string() Is mysql_real_escape_string necessary if there are no user inputs? Is mysql_real_escape_string() necessary when using prepared statements? mysql_real_escape_string() for $_SESSION variables necessary? mysql_real_escape_string and ’ mysql_real_escape_string does not escape " MySql mysql_real_escape_string errors Is it safe to use mysql_real_escape_string() for user inputs When should I NOT use mysql_real_escape_string How to use mysql_real_escape_string function in PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM