FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » is mysqli_real_escape_string bullet proof with binary data?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: is mysqli_real_escape_string bullet proof with binary data? [message #182320 is a reply to message #182301] Sun, 28 July 2013 12:54 Go to previous messageGo to previous message
Luuk is currently offline  Luuk
Messages: 329
Registered: September 2010
Karma:
Senior Member
On 28-07-2013 01:44, Jerry Stuckle wrote:
> On 7/27/2013 11:22 AM, Luuk wrote:
>> On 27-07-2013 16:36, The Natural Philosopher wrote:
>>> On 27/07/13 14:28, Luuk wrote:
>>>> On 27-07-2013 13:08, The Natural Philosopher wrote:
>>>> > On 27/07/13 10:45, Luuk wrote:
>>>> >> On 27-07-2013 11:31, The Natural Philosopher wrote:
>>>> >>> The target is to create and store thumbnail PNG images in a Mysql
>>>> >>> table.
>>>> >>> Also any tips on actually getting the thumbnail data into a
>>>> >>> variable -
>>>> >>> which package is recommended? I've always used GD, but never been
>>>> >>> 100%
>>>> >>> happy with it
>>>> >>>
>>>> >>
>>>> >> As far as the subject goes, i would say:
>>>> >> DO NOT TOUCH binary data.....
>>>> >>
>>>> >> Simply store it, or not, in your database.....
>>>> > Well exactly. the question is how to get it in there reliably using
>>>> > the
>>>> > PHP API.
>>>> >
>>>> >
>>>>
>>>>
>>>> When reading file contents, i see no need to do a mysqli_real_escape.
>>>>
>>>> <?php
>>>> $link = mysqli_connect("localhost","test","test","test") or
>>>> die("Error " . mysqli_error($link));
>>>>
>>>> $query = "CREATE TABLE `testpng` ( `id` int(11) NOT NULL
>>>> AUTO_INCREMENT, `image` blob, PRIMARY KEY (`id`))";
>>>> $result = $link->query($query);
>>>>
>>>> if (!$result) { echo "Could not create table....\n"; exit; } else {
>>>> $stmt = $link->prepare("INSERT INTO testpng (image) VALUES (?)");
>>>> $file = file_get_contents('upArrow.png');
>>>> echo "Size before: ".strlen($file)."<br>\n";
>>>> $stmt->bind_param('s', $file);
>>>> $stmt->execute();
>>>> printf("%d Row inserted.\n", $stmt->affected_rows);
>>>> $stmt->close();
>>>>
>>>> $stmt = $link->query("SELECT image FROM testpng;");
>>>> $row = $stmt->fetch_object();
>>>> $file = $row->image;
>>>> echo "Size before: ".strlen($file)."<br>\n";
>>>> }
>>>> ?>
>>> ..and hope that the file 'upArrow.png' does not contain a ['] or three?
>>>
>>
>> luuk@opensuse:~/public_html/temp> grep "'" upArrow.png
>> Binary file upArrow.png matches
>>
>> luuk@opensuse:~/public_html/temp> hexdump -C upArrow.png | grep "'"
>> 00000110 53 00 a0 04 00 60 cb 63 62 e3 00 50 2d 00 60 27
>> |S....`.cb..P-.`'|
>> 00000260 00 b0 6a 3e 01 7b 91 2d a8 5d 63 03 f6 4b 27 10
>> |..j>.{.-.]c..K'.|
>> 000003a0 51 c2 27 22 93 a8 4b b4 26 ba 11 f9 c4 18 62 32
>> |Q.'"..K.&.....b2|
>> 000003c0 37 24 12 89 43 32 27 b9 90 02 49 b1 a4 54 d2 12
>> |7$..C2'...I..T..|
>> 00000530 fb 81 0e 41 c7 4a 27 5c 27 47 67 8f ce 05 9d e7
>> |...A.J'\'Gg.....|
>> 00000720 0e 85 50 7e e8 d6 d0 07 61 e6 61 8b c3 7e 0c 27
>> |..P~....a.a..~.'|
>> 000007c0 91 bc 35 79 24 c5 33 a5 2c e5 b9 84 27 a9 90 bc
>> |..5y$.3.,...'...|
>> 000009e0 dd bd f3 7a 6f f7 c5 f7 f5 df 16 dd 7e 72 27 fd
>> |...zo.......~r'.|
>> 000009f0 ce cb bb d9 77 27 ee ad bc 4f bc 5f f4 40 ed 41
>> |....w'...O._.@.A|
>>
>>
>> Yes it does, but who cares?
>>
>> Are you really that afraid for code-insertion, that you fail to know
>> that this cannot go wrong?
>>
>> Or can you explain me how i can kill my database with this?
>>
>
> Insert the data without using prepared statements or
> mysql_real_escape_string().
>
>

I think i was using a prepared statement.
And i wonder why i need to check if the contents of this png-file is
really a png-file, or maybe a script. I'm not executing any code that
MIGHT be stored in this file. I'm just storing the contents of that file
in some blob.

> Then don't check the return code.

I did not check return code because this was a piece of example,
normally is would check return code to see if storing was successful...
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Major trouble with PhpDocumentor
Next Topic: Education Path to become a PHP developer using free online courses
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 10 07:06:15 GMT 2024

Total time taken to generate the page: 0.04245 seconds