FUDforum: comp.lang.php » is mysqli_real_escape_string bullet proof with binary data?

Home » Imported messages » comp.lang.php » is mysqli_real_escape_string bullet proof with binary data?

Show: Today's Messages :: Polls :: Message Navigator

Re: is mysqli_real_escape_string bullet proof with binary data? [message #182340 is a reply to message #182338]

Sun, 28 July 2013 19:16

Luuk
Messages: 329
Registered: September 2010

Karma:

Senior Member

On 28-07-2013 21:05, Jerry Stuckle wrote:
> On 7/28/2013 11:25 AM, Luuk wrote:
>> On 28-07-2013 15:39, Jerry Stuckle wrote:
>>> On 7/28/2013 8:54 AM, Luuk wrote:
>>>> >>> ..and hope that the file 'upArrow.png' does not contain a ['] or
>>>> >>> three?
>>>> >>>
>>>> >>
>>>> >> luuk@opensuse:~/public_html/temp> grep "'" upArrow.png
>>>> >> Binary file upArrow.png matches
>>>> >>
>>>> >> luuk@opensuse:~/public_html/temp> hexdump -C upArrow.png | grep "'"
>>>> >> 00000110 53 00 a0 04 00 60 cb 63 62 e3 00 50 2d 00 60 27
>>>> >> |S....`.cb..P-.`'|
>>>> >> 00000260 00 b0 6a 3e 01 7b 91 2d a8 5d 63 03 f6 4b 27 10
>>>> >> |..j>.{.-.]c..K'.|
>>>> >> 000003a0 51 c2 27 22 93 a8 4b b4 26 ba 11 f9 c4 18 62 32
>>>> >> |Q.'"..K.&.....b2|
>>>> >> 000003c0 37 24 12 89 43 32 27 b9 90 02 49 b1 a4 54 d2 12
>>>> >> |7$..C2'...I..T..|
>>>> >> 00000530 fb 81 0e 41 c7 4a 27 5c 27 47 67 8f ce 05 9d e7
>>>> >> |...A.J'\'Gg.....|
>>>> >> 00000720 0e 85 50 7e e8 d6 d0 07 61 e6 61 8b c3 7e 0c 27
>>>> >> |..P~....a.a..~.'|
>>>> >> 000007c0 91 bc 35 79 24 c5 33 a5 2c e5 b9 84 27 a9 90 bc
>>>> >> |..5y$.3.,...'...|
>>>> >> 000009e0 dd bd f3 7a 6f f7 c5 f7 f5 df 16 dd 7e 72 27 fd
>>>> >> |...zo.......~r'.|
>>>> >> 000009f0 ce cb bb d9 77 27 ee ad bc 4f bc 5f f4 40 ed 41
>>>> >> |....w'...O._.@.A|
>>>> >>
>>>> >>
>>>
>>> It doesn't make any difference. The png could contain one or more
>>> delimiters, i.e. an apostrophe, which will cause a syntax error in a
>>> non-prepared statement.
>>
>> It DOES contain single-quotes (that is an apostophe?).
>> and that DOES NOT cause a syntax error,
>> because i'm using a prepared statement.
>>
>>>
>>> Escaping strings is not just to prevent security leeks - it is also to
>>> ensure valid SQL.
>>>
>>
>> I dont see any errors in the query.log or error.log of my MySQL
>> installation (about updating this `testpng`-table).
>> Therefore i dont see a point in ensuring validity of an already valid
>> SQL.
>>
>> Can you give an example an file that would break my script?
>> The script is here: http://pastebin.com/5D8ZGEhy
>> My emailadress is: luuk34(at)gmail(dot)com
>>
>> I think i have shown that this script is working OK, and that there is
>> no reason to do something with escaping string here.
>>
>
> You're not reading my replies, Luuk. I said if it contains delimiters
> and YOU ARE NOT USING PREPARED STATEMENTS. For instance:
>
> "INSERT INTO MyTABLE (bin_column) VALUES ('$png_data');
>
> Prepared statements are good for some things - but you have to also be
> aware of the additional processing required when you use them.
>
>

From my code (at: http://pastebin.com/5D8ZGEhy):
$stmt = $link->prepare("INSERT INTO testpng (image) VALUES (?)");
$file = file_get_contents('upArrow.png');
echo "Size before: ".strlen($file)."<br>\n";
$stmt->bind_param('s', $file);

Is above not a prepared statment?

Report message to a moderator

[Message index]

		is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Sat, 27 July 2013 09:31
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sat, 27 July 2013 09:45
		Re: is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Sat, 27 July 2013 11:08
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sat, 27 July 2013 13:28
		Re: is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Sat, 27 July 2013 14:36
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sat, 27 July 2013 15:22
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sat, 27 July 2013 15:34
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sat, 27 July 2013 23:44
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sun, 28 July 2013 12:54
		Re: is mysqli_real_escape_string bullet proof with binary data? By: J.O. Aho on Sun, 28 July 2013 13:35
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sun, 28 July 2013 13:39
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sun, 28 July 2013 15:25
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sun, 28 July 2013 19:05
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sun, 28 July 2013 19:16
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Mon, 29 July 2013 00:46
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Daniel Pitts on Mon, 29 July 2013 16:17
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Mon, 29 July 2013 18:01
		Re: is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Mon, 29 July 2013 23:04
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Tue, 30 July 2013 01:02
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Mon, 29 July 2013 18:34
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sat, 27 July 2013 13:52
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sat, 27 July 2013 13:58
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sat, 27 July 2013 14:36
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sat, 27 July 2013 14:43
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Pierre Jaury on Sat, 27 July 2013 18:10
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sat, 27 July 2013 23:52
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Denis McMahon on Sat, 27 July 2013 18:38
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Pierre Jaury on Sat, 27 July 2013 20:25
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sat, 27 July 2013 20:59
		Re: is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Sat, 27 July 2013 23:50
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sun, 28 July 2013 15:44
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Pierre Jaury on Sun, 28 July 2013 16:01
		Re: is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Sun, 28 July 2013 16:43
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Sun, 28 July 2013 18:31
		Re: is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Sun, 28 July 2013 16:39
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Pierre Jaury on Sun, 28 July 2013 17:56
		Re: is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Sun, 28 July 2013 18:14
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sun, 28 July 2013 19:10
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Norman Peelman on Mon, 29 July 2013 01:13
		Re: is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Sat, 27 July 2013 23:46
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sat, 27 July 2013 23:56
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Pierre Jaury on Sun, 28 July 2013 01:55
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sun, 28 July 2013 02:11
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sat, 27 July 2013 23:58
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Norman Peelman on Sat, 27 July 2013 13:35
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sat, 27 July 2013 13:56
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Norman Peelman on Sun, 28 July 2013 00:01
		Re: is mysqli_real_escape_string bullet proof with binary data? By: The Natural Philosoph on Sat, 27 July 2013 14:33
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Sat, 27 July 2013 13:57
		I've always used GD, but never been 100% happy with it (Was: is mysqli_real_escape_string bullet proof with binary data?) By: J.O. Aho on Sat, 27 July 2013 16:09
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Luuk on Mon, 29 July 2013 18:37
		Re: is mysqli_real_escape_string bullet proof with binary data? By: J.O. Aho on Tue, 30 July 2013 05:31
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Tue, 30 July 2013 06:08
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Scott Johnson on Tue, 30 July 2013 12:35
		Re: is mysqli_real_escape_string bullet proof with binary data? By: J.O. Aho on Tue, 30 July 2013 15:53
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Jerry Stuckle on Tue, 30 July 2013 16:37
		Re: is mysqli_real_escape_string bullet proof with binary data? By: tony on Tue, 30 July 2013 09:35
		Re: is mysqli_real_escape_string bullet proof with binary data? By: Denis McMahon on Wed, 31 July 2013 04:56

Previous Topic:	Major trouble with PhpDocumentor
Next Topic:	Education Path to become a PHP developer using free online courses

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Sep 20 04:39:39 GMT 2024

Total time taken to generate the page: 0.05634 seconds