Re: is mysqli_real_escape_string bullet proof with binary data? [message #182293 is a reply to message #182287] |
Sat, 27 July 2013 15:22 |
Luuk
Messages: 329 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 27-07-2013 16:36, The Natural Philosopher wrote:
> On 27/07/13 14:28, Luuk wrote:
>> On 27-07-2013 13:08, The Natural Philosopher wrote:
>>> On 27/07/13 10:45, Luuk wrote:
>>>> On 27-07-2013 11:31, The Natural Philosopher wrote:
>>>> > The target is to create and store thumbnail PNG images in a Mysql
>>>> > table.
>>>> > Also any tips on actually getting the thumbnail data into a variable -
>>>> > which package is recommended? I've always used GD, but never been 100%
>>>> > happy with it
>>>> >
>>>>
>>>> As far as the subject goes, i would say:
>>>> DO NOT TOUCH binary data.....
>>>>
>>>> Simply store it, or not, in your database.....
>>> Well exactly. the question is how to get it in there reliably using the
>>> PHP API.
>>>
>>>
>>
>>
>> When reading file contents, i see no need to do a mysqli_real_escape.
>>
>> <?php
>> $link = mysqli_connect("localhost","test","test","test") or
>> die("Error " . mysqli_error($link));
>>
>> $query = "CREATE TABLE `testpng` ( `id` int(11) NOT NULL
>> AUTO_INCREMENT, `image` blob, PRIMARY KEY (`id`))";
>> $result = $link->query($query);
>>
>> if (!$result) { echo "Could not create table....\n"; exit; } else {
>> $stmt = $link->prepare("INSERT INTO testpng (image) VALUES (?)");
>> $file = file_get_contents('upArrow.png');
>> echo "Size before: ".strlen($file)."<br>\n";
>> $stmt->bind_param('s', $file);
>> $stmt->execute();
>> printf("%d Row inserted.\n", $stmt->affected_rows);
>> $stmt->close();
>>
>> $stmt = $link->query("SELECT image FROM testpng;");
>> $row = $stmt->fetch_object();
>> $file = $row->image;
>> echo "Size before: ".strlen($file)."<br>\n";
>> }
>> ?>
> ..and hope that the file 'upArrow.png' does not contain a ['] or three?
>
luuk@opensuse:~/public_html/temp> grep "'" upArrow.png
Binary file upArrow.png matches
luuk@opensuse:~/public_html/temp> hexdump -C upArrow.png | grep "'"
00000110 53 00 a0 04 00 60 cb 63 62 e3 00 50 2d 00 60 27
|S....`.cb..P-.`'|
00000260 00 b0 6a 3e 01 7b 91 2d a8 5d 63 03 f6 4b 27 10
|..j>.{.-.]c..K'.|
000003a0 51 c2 27 22 93 a8 4b b4 26 ba 11 f9 c4 18 62 32
|Q.'"..K.&.....b2|
000003c0 37 24 12 89 43 32 27 b9 90 02 49 b1 a4 54 d2 12
|7$..C2'...I..T..|
00000530 fb 81 0e 41 c7 4a 27 5c 27 47 67 8f ce 05 9d e7
|...A.J'\'Gg.....|
00000720 0e 85 50 7e e8 d6 d0 07 61 e6 61 8b c3 7e 0c 27
|..P~....a.a..~.'|
000007c0 91 bc 35 79 24 c5 33 a5 2c e5 b9 84 27 a9 90 bc
|..5y$.3.,...'...|
000009e0 dd bd f3 7a 6f f7 c5 f7 f5 df 16 dd 7e 72 27 fd
|...zo.......~r'.|
000009f0 ce cb bb d9 77 27 ee ad bc 4f bc 5f f4 40 ed 41
|....w'...O._.@.A|
Yes it does, but who cares?
Are you really that afraid for code-insertion, that you fail to know
that this cannot go wrong?
Or can you explain me how i can kill my database with this?
|
|
|