FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » is mysqli_real_escape_string bullet proof with binary data?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: is mysqli_real_escape_string bullet proof with binary data? [message #182333 is a reply to message #182331] Sun, 28 July 2013 17:56 Go to previous messageGo to previous message
Pierre Jaury is currently offline  Pierre Jaury
Messages: 5
Registered: July 2013
Karma:
Junior Member
The Natural Philosopher <tnp(at)invalid(dot)invalid> writes:

> On 28/07/13 16:44, Luuk wrote:
>>
>> I was not trying to contradict anything. I was reading the post
>> (from Pierre) and was under the impression that i SHOULD use 'b' in
>> bind_param.
>>
>> I was using 's' in bind_param, and my testprog works ok
>>
>> These 2 lines made /me confused ;)
>>
>>> I'd really like to know why..
>>>
>>
>> Me likes to know why to
>>
> Ok. Lets take a step back and summarise - and feel free to correct me
> if I am wrong.
>
> 1/. Mysql can store anything in a BLOB.
> 2/. Using prepared statements binary data in a 'string' variable will
> be stored correctly via the PHP API.
> 3/. What about un-prepared statements like:
>
> (getting data out is not a major issue)
>
> $blob=file_get_contents('mygraffix.png')
>
> mysqli_query($link, sprintf("insert into mytable set
> myblob='%s'",$blob));

This were string escaping is required
(eg. mysqli_real_escape_string($blob)). Rule of thumb: if you are using
uncontrolled data, and more generally any string that is not explicitely
declared in the current scope and that might, for one reason or another,
interfere with the MySQL query language, you MUST escape it before
constructing your text query.

> Presumably that will barf at some point because the PHP itself will
> get confused about where the string begins and ends?
>
> Or does it? I suppose its down to the way PHP parses the query string
> and sends it.

PHP does not parse anything, in that very case, PHP simply builds the
query string by running sprintf then sends the result to the MySQL C
API, as a string. I am not sure how PHP will handle or how the API will
react if you pass a query containing null bytes for instance, but that
is out of the question because you did things properly and did escape
every piece of data that required escaping.

I think you are confusing many notions here, even more than I do
according to Jerry :) As long as you escape your strings when building
text queries, PHP will pass them to the MySQL API, which will send them
to the server, which won't bother parsing and executing your query.

You may, on the other hand, use bound parameters, which simply do not
require you to escape the parameter string because it is processed
completely separately from the sql syntax.
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Major trouble with PhpDocumentor
Next Topic: Education Path to become a PHP developer using free online courses
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 20:14:55 GMT 2024

Total time taken to generate the page: 0.04192 seconds