| Re: is mysqli_real_escape_string bullet proof with binary data? [message #182323 is a reply to message #182320] |
Sun, 28 July 2013 13:39   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 7/28/2013 8:54 AM, Luuk wrote:
> On 28-07-2013 01:44, Jerry Stuckle wrote:
>> On 7/27/2013 11:22 AM, Luuk wrote:
>>> On 27-07-2013 16:36, The Natural Philosopher wrote:
>>>> On 27/07/13 14:28, Luuk wrote:
>>>> > On 27-07-2013 13:08, The Natural Philosopher wrote:
>>>> >> On 27/07/13 10:45, Luuk wrote:
>>>> >>> On 27-07-2013 11:31, The Natural Philosopher wrote:
>>>> >>>> The target is to create and store thumbnail PNG images in a Mysql
>>>> >>>> table.
>>>> >>>> Also any tips on actually getting the thumbnail data into a
>>>> >>>> variable -
>>>> >>>> which package is recommended? I've always used GD, but never been
>>>> >>>> 100%
>>>> >>>> happy with it
>>>> >>>>
>>>> >>>
>>>> >>> As far as the subject goes, i would say:
>>>> >>> DO NOT TOUCH binary data.....
>>>> >>>
>>>> >>> Simply store it, or not, in your database.....
>>>> >> Well exactly. the question is how to get it in there reliably using
>>>> >> the
>>>> >> PHP API.
>>>> >>
>>>> >>
>>>> >
>>>> >
>>>> > When reading file contents, i see no need to do a mysqli_real_escape.
>>>> >
>>>> > <?php
>>>> > $link = mysqli_connect("localhost","test","test","test") or
>>>> > die("Error " . mysqli_error($link));
>>>> >
>>>> > $query = "CREATE TABLE `testpng` ( `id` int(11) NOT NULL
>>>> > AUTO_INCREMENT, `image` blob, PRIMARY KEY (`id`))";
>>>> > $result = $link->query($query);
>>>> >
>>>> > if (!$result) { echo "Could not create table....\n"; exit; } else {
>>>> > $stmt = $link->prepare("INSERT INTO testpng (image) VALUES (?)");
>>>> > $file = file_get_contents('upArrow.png');
>>>> > echo "Size before: ".strlen($file)."<br>\n";
>>>> > $stmt->bind_param('s', $file);
>>>> > $stmt->execute();
>>>> > printf("%d Row inserted.\n", $stmt->affected_rows);
>>>> > $stmt->close();
>>>> >
>>>> > $stmt = $link->query("SELECT image FROM testpng;");
>>>> > $row = $stmt->fetch_object();
>>>> > $file = $row->image;
>>>> > echo "Size before: ".strlen($file)."<br>\n";
>>>> > }
>>>> > ?>
>>>> ..and hope that the file 'upArrow.png' does not contain a ['] or three?
>>>>
>>>
>>> luuk@opensuse:~/public_html/temp> grep "'" upArrow.png
>>> Binary file upArrow.png matches
>>>
>>> luuk@opensuse:~/public_html/temp> hexdump -C upArrow.png | grep "'"
>>> 00000110 53 00 a0 04 00 60 cb 63 62 e3 00 50 2d 00 60 27
>>> |S....`.cb..P-.`'|
>>> 00000260 00 b0 6a 3e 01 7b 91 2d a8 5d 63 03 f6 4b 27 10
>>> |..j>.{.-.]c..K'.|
>>> 000003a0 51 c2 27 22 93 a8 4b b4 26 ba 11 f9 c4 18 62 32
>>> |Q.'"..K.&.....b2|
>>> 000003c0 37 24 12 89 43 32 27 b9 90 02 49 b1 a4 54 d2 12
>>> |7$..C2'...I..T..|
>>> 00000530 fb 81 0e 41 c7 4a 27 5c 27 47 67 8f ce 05 9d e7
>>> |...A.J'\'Gg.....|
>>> 00000720 0e 85 50 7e e8 d6 d0 07 61 e6 61 8b c3 7e 0c 27
>>> |..P~....a.a..~.'|
>>> 000007c0 91 bc 35 79 24 c5 33 a5 2c e5 b9 84 27 a9 90 bc
>>> |..5y$.3.,...'...|
>>> 000009e0 dd bd f3 7a 6f f7 c5 f7 f5 df 16 dd 7e 72 27 fd
>>> |...zo.......~r'.|
>>> 000009f0 ce cb bb d9 77 27 ee ad bc 4f bc 5f f4 40 ed 41
>>> |....w'...O._.@.A|
>>>
>>>
>>> Yes it does, but who cares?
>>>
>>> Are you really that afraid for code-insertion, that you fail to know
>>> that this cannot go wrong?
>>>
>>> Or can you explain me how i can kill my database with this?
>>>
>>
>> Insert the data without using prepared statements or
>> mysql_real_escape_string().
>>
>>
>
> I think i was using a prepared statement.
> And i wonder why i need to check if the contents of this png-file is
> really a png-file, or maybe a script. I'm not executing any code that
> MIGHT be stored in this file. I'm just storing the contents of that file
> in some blob.
>
>> Then don't check the return code.
>
> I did not check return code because this was a piece of example,
> normally is would check return code to see if storing was successful...
>
>
It doesn't make any difference. The png could contain one or more
delimiters, i.e. an apostrophe, which will cause a syntax error in a
non-prepared statement.
Escaping strings is not just to prevent security leeks - it is also to
ensure valid SQL.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]