FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.
Home » Imported messages » comp.lang.php » is mysqli_real_escape_string bullet proof with binary data?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: is mysqli_real_escape_string bullet proof with binary data? [message #182331 is a reply to message #182327] Sun, 28 July 2013 16:39 Go to previous messageGo to previous message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
Senior Member
On 28/07/13 16:44, Luuk wrote:
>
> I was not trying to contradict anything. I was reading the post (from
> Pierre) and was under the impression that i SHOULD use 'b' in bind_param.
>
> I was using 's' in bind_param, and my testprog works ok
>
> These 2 lines made /me confused ;)
>
>> I'd really like to know why..
>>
>
> Me likes to know why to
>
Ok. Lets take a step back and summarise - and feel free to correct me if
I am wrong.

1/. Mysql can store anything in a BLOB.
2/. Using prepared statements binary data in a 'string' variable will
be stored correctly via the PHP API.
3/. What about un-prepared statements like:

(getting data out is not a major issue)

$blob=file_get_contents('mygraffix.png')

mysqli_query($link, sprintf("insert into mytable set myblob='%s'",$blob));

Presumably that will barf at some point because the PHP itself will get
confused about where the string begins and ends?

Or does it? I suppose its down to the way PHP parses the query string
and sends it.

Which is why the 'prepared' statement or 'Load_file()' options are
preferred?

i.e. the problem is not with mysql per se, but with PHPs way of handling
strings..

In C of course you simply use mysql_real_query() and specify the query
length..

But I can't actually see how even that will work.. OK you now how long
the total statement has to be, but
at some level you are going to have a statement like 'update mytable,
set bmyblob=randombinarydatapossibly_containing,set
something_else=somethingelse'

That is, simply knowing the completed query LENGTH does not remove
ambiguity.

Where this leaves me is essentially that methods (1) and (2) above are
the only reliable ways to do this job.

I'd like that confirmed or denied..

In the past I have always used load_file with no real issues, but in the
new application security is of major concern. I don't want the average
uploader of images to have general FILE access.


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Major trouble with PhpDocumentor
Next Topic: Education Path to become a PHP developer using free online courses
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Sep 20 05:47:20 GMT 2024

Total time taken to generate the page: 0.04379 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.1.3.
Copyright ©2001-2023 FUDforum Bulletin Board Software