Re: is mysqli_real_escape_string bullet proof with binary data? [message #182334 is a reply to message #182333] |
Sun, 28 July 2013 18:14 |
The Natural Philosoph
Messages: 993 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 28/07/13 18:56, Pierre Jaury wrote:
> The Natural Philosopher <tnp(at)invalid(dot)invalid> writes:
>
>> On 28/07/13 16:44, Luuk wrote:
>>> I was not trying to contradict anything. I was reading the post
>>> (from Pierre) and was under the impression that i SHOULD use 'b' in
>>> bind_param.
>>>
>>> I was using 's' in bind_param, and my testprog works ok
>>>
>>> These 2 lines made /me confused ;)
>>>
>>>> I'd really like to know why..
>>>>
>>> Me likes to know why to
>>>
>> Ok. Lets take a step back and summarise - and feel free to correct me
>> if I am wrong.
>>
>> 1/. Mysql can store anything in a BLOB.
>> 2/. Using prepared statements binary data in a 'string' variable will
>> be stored correctly via the PHP API.
>> 3/. What about un-prepared statements like:
>>
>> (getting data out is not a major issue)
>>
>> $blob=file_get_contents('mygraffix.png')
>>
>> mysqli_query($link, sprintf("insert into mytable set
>> myblob='%s'",$blob));
> This were string escaping is required
> (eg. mysqli_real_escape_string($blob)). Rule of thumb: if you are using
> uncontrolled data, and more generally any string that is not explicitely
> declared in the current scope and that might, for one reason or another,
> interfere with the MySQL query language, you MUST escape it before
> constructing your text query.
>
>> Presumably that will barf at some point because the PHP itself will
>> get confused about where the string begins and ends?
>>
>> Or does it? I suppose its down to the way PHP parses the query string
>> and sends it.
> PHP does not parse anything, in that very case, PHP simply builds the
> query string by running sprintf then sends the result to the MySQL C
> API, as a string. I am not sure how PHP will handle or how the API will
> react if you pass a query containing null bytes for instance, but that
> is out of the question because you did things properly and did escape
> every piece of data that required escaping.
>
> I think you are confusing many notions here, even more than I do
> according to Jerry :) As long as you escape your strings when building
> text queries, PHP will pass them to the MySQL API, which will send them
> to the server, which won't bother parsing and executing your query.
I think in the end it boils down to the basic issue that if you pass a
non text string AS a text string, you have to escape it, and the effects
of doing that into a binary target are not necessarily guranteed
And there are only two ways to pass pure binary data AS pure binary
data, - using the prepare-statement way or load_file()
(I never pay attention to Jerry. He is far more concerned with his own
ego than actually providing anything of any value.)
> You may, on the other hand, use bound parameters, which simply do not
> require you to escape the parameter string because it is processed
> completely separately from the sql syntax.
Exactly so.
And that is in fact the way I will go in this instance, since it matches
the nature of the problems most closely.
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|