FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » is mysqli_real_escape_string bullet proof with binary data?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: is mysqli_real_escape_string bullet proof with binary data? [message #182342 is a reply to message #182331] Mon, 29 July 2013 01:13 Go to previous messageGo to previous message
Norman Peelman is currently offline  Norman Peelman
Messages: 126
Registered: September 2010
Karma:
Senior Member
On 07/28/2013 12:39 PM, The Natural Philosopher wrote:
> On 28/07/13 16:44, Luuk wrote:
>>
>> I was not trying to contradict anything. I was reading the post (from
>> Pierre) and was under the impression that i SHOULD use 'b' in bind_param.
>>
>> I was using 's' in bind_param, and my testprog works ok
>>
>> These 2 lines made /me confused ;)
>>
>>> I'd really like to know why..
>>>
>>
>> Me likes to know why to
>>
> Ok. Lets take a step back and summarise - and feel free to correct me if
> I am wrong.
>
> 1/. Mysql can store anything in a BLOB.
> 2/. Using prepared statements binary data in a 'string' variable will
> be stored correctly via the PHP API.
> 3/. What about un-prepared statements like:
>
> (getting data out is not a major issue)
>
> $blob=file_get_contents('mygraffix.png')
>
> mysqli_query($link, sprintf("insert into mytable set myblob='%s'",$blob));
>
> Presumably that will barf at some point because the PHP itself will get
> confused about where the string begins and ends?
>
> Or does it? I suppose its down to the way PHP parses the query string
> and sends it.
>
> Which is why the 'prepared' statement or 'Load_file()' options are
> preferred?
>
> i.e. the problem is not with mysql per se, but with PHPs way of handling
> strings..
>
> In C of course you simply use mysql_real_query() and specify the query
> length..
>
> But I can't actually see how even that will work.. OK you now how long
> the total statement has to be, but
> at some level you are going to have a statement like 'update mytable,
> set bmyblob=randombinarydatapossibly_containing,set
> something_else=somethingelse'
>
> That is, simply knowing the completed query LENGTH does not remove
> ambiguity.
>
> Where this leaves me is essentially that methods (1) and (2) above are
> the only reliable ways to do this job.
>
> I'd like that confirmed or denied..
>
> In the past I have always used load_file with no real issues, but in the
> new application security is of major concern. I don't want the average
> uploader of images to have general FILE access.
>
>

http://dev.mysql.com/doc/refman/5.0/en/blob.html

--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Major trouble with PhpDocumentor
Next Topic: Education Path to become a PHP developer using free online courses
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 10 05:08:43 GMT 2024

Total time taken to generate the page: 0.05267 seconds