| Re: is mysqli_real_escape_string bullet proof with binary data? [message #182320 is a reply to message #182301] |
Sun, 28 July 2013 12:54   |
Luuk
Messages: 329
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 28-07-2013 01:44, Jerry Stuckle wrote:
> On 7/27/2013 11:22 AM, Luuk wrote:
>> On 27-07-2013 16:36, The Natural Philosopher wrote:
>>> On 27/07/13 14:28, Luuk wrote:
>>>> On 27-07-2013 13:08, The Natural Philosopher wrote:
>>>> > On 27/07/13 10:45, Luuk wrote:
>>>> >> On 27-07-2013 11:31, The Natural Philosopher wrote:
>>>> >>> The target is to create and store thumbnail PNG images in a Mysql
>>>> >>> table.
>>>> >>> Also any tips on actually getting the thumbnail data into a
>>>> >>> variable -
>>>> >>> which package is recommended? I've always used GD, but never been
>>>> >>> 100%
>>>> >>> happy with it
>>>> >>>
>>>> >>
>>>> >> As far as the subject goes, i would say:
>>>> >> DO NOT TOUCH binary data.....
>>>> >>
>>>> >> Simply store it, or not, in your database.....
>>>> > Well exactly. the question is how to get it in there reliably using
>>>> > the
>>>> > PHP API.
>>>> >
>>>> >
>>>>
>>>>
>>>> When reading file contents, i see no need to do a mysqli_real_escape.
>>>>
>>>> <?php
>>>> $link = mysqli_connect("localhost","test","test","test") or
>>>> die("Error " . mysqli_error($link));
>>>>
>>>> $query = "CREATE TABLE `testpng` ( `id` int(11) NOT NULL
>>>> AUTO_INCREMENT, `image` blob, PRIMARY KEY (`id`))";
>>>> $result = $link->query($query);
>>>>
>>>> if (!$result) { echo "Could not create table....\n"; exit; } else {
>>>> $stmt = $link->prepare("INSERT INTO testpng (image) VALUES (?)");
>>>> $file = file_get_contents('upArrow.png');
>>>> echo "Size before: ".strlen($file)."<br>\n";
>>>> $stmt->bind_param('s', $file);
>>>> $stmt->execute();
>>>> printf("%d Row inserted.\n", $stmt->affected_rows);
>>>> $stmt->close();
>>>>
>>>> $stmt = $link->query("SELECT image FROM testpng;");
>>>> $row = $stmt->fetch_object();
>>>> $file = $row->image;
>>>> echo "Size before: ".strlen($file)."<br>\n";
>>>> }
>>>> ?>
>>> ..and hope that the file 'upArrow.png' does not contain a ['] or three?
>>>
>>
>> luuk@opensuse:~/public_html/temp> grep "'" upArrow.png
>> Binary file upArrow.png matches
>>
>> luuk@opensuse:~/public_html/temp> hexdump -C upArrow.png | grep "'"
>> 00000110 53 00 a0 04 00 60 cb 63 62 e3 00 50 2d 00 60 27
>> |S....`.cb..P-.`'|
>> 00000260 00 b0 6a 3e 01 7b 91 2d a8 5d 63 03 f6 4b 27 10
>> |..j>.{.-.]c..K'.|
>> 000003a0 51 c2 27 22 93 a8 4b b4 26 ba 11 f9 c4 18 62 32
>> |Q.'"..K.&.....b2|
>> 000003c0 37 24 12 89 43 32 27 b9 90 02 49 b1 a4 54 d2 12
>> |7$..C2'...I..T..|
>> 00000530 fb 81 0e 41 c7 4a 27 5c 27 47 67 8f ce 05 9d e7
>> |...A.J'\'Gg.....|
>> 00000720 0e 85 50 7e e8 d6 d0 07 61 e6 61 8b c3 7e 0c 27
>> |..P~....a.a..~.'|
>> 000007c0 91 bc 35 79 24 c5 33 a5 2c e5 b9 84 27 a9 90 bc
>> |..5y$.3.,...'...|
>> 000009e0 dd bd f3 7a 6f f7 c5 f7 f5 df 16 dd 7e 72 27 fd
>> |...zo.......~r'.|
>> 000009f0 ce cb bb d9 77 27 ee ad bc 4f bc 5f f4 40 ed 41
>> |....w'...O._.@.A|
>>
>>
>> Yes it does, but who cares?
>>
>> Are you really that afraid for code-insertion, that you fail to know
>> that this cannot go wrong?
>>
>> Or can you explain me how i can kill my database with this?
>>
>
> Insert the data without using prepared statements or
> mysql_real_escape_string().
>
>
I think i was using a prepared statement.
And i wonder why i need to check if the contents of this png-file is
really a png-file, or maybe a script. I'm not executing any code that
MIGHT be stored in this file. I'm just storing the contents of that file
in some blob.
> Then don't check the return code.
I did not check return code because this was a piece of example,
normally is would check return code to see if storing was successful...
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]