FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » is mysqli_real_escape_string bullet proof with binary data?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: is mysqli_real_escape_string bullet proof with binary data? [message #182305 is a reply to message #182299] Sat, 27 July 2013 23:56 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 7/27/2013 4:25 PM, Pierre Jaury wrote:
> Denis McMahon <denismfmcmahon(at)gmail(dot)com> writes:
>
>> On Sat, 27 Jul 2013 11:45:50 +0200, Luuk wrote:
>>
>>> On 27-07-2013 11:31, The Natural Philosopher wrote:
>>
>>>> The target is to create and store thumbnail PNG images in a Mysql
>>>> table.
>>
>>> As far as the subject goes, i would say:
>>> DO NOT TOUCH binary data.....
>>> Simply store it, or not, in your database.....
>>
>> Is it trying to store binary data as character data, or does it think it
>> needs to string escape binary data types?
>
> Escaping strings is a concept only useful when building request strings
> that include user supplied data. It does avoid concatenating strings
> whith special/control characters that may interfere with the original
> language. There is no need to escape strings if you do not embed
> them inside your request string (eg. if you use bound parameters).
>

Incorrect. ALL strings, whether user-supplied or not, need to be
escaped if you don't use bound values.

> This is true when dealing with SQL (write prepared statements without
> including any user supplied data, then bind the parameters), bash
> commands that only require one exec (use exec* instead of system), and
> pretty much in any case you construct interpreted code at runtime.
>

Additional overhead, as I indicated before. Additionally, binding
numeric values greatly increases the overhead (because they do not need
to be escaped when not using bound variables). They just need to be
validated as the appropriate numeric values (which needs to be done in
either case).

> Data sent to MySQL as bound parameters in prepared statements is
> shipped as is, it not escaped or processed in any way before the
> MySQL API structures are filled with it. Now, for your binary data
> to be handled as is by the MySQL server (and skip the charset
> processing), the parameter must be bound as MYSQL_TYPE_BLOB, which
> you may control when using bind_param.
>
> See http://fr2.php.net/manual/fr/mysqli-stmt.bind-param.php and the
> "b" (as in binary) flag for details.
>

A little knowledge is a dangerous thing.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Major trouble with PhpDocumentor
Next Topic: Education Path to become a PHP developer using free online courses
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 19:24:24 GMT 2024

Total time taken to generate the page: 0.04955 seconds