FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » is mysqli_real_escape_string bullet proof with binary data?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: is mysqli_real_escape_string bullet proof with binary data? [message #182350 is a reply to message #182349] Tue, 30 July 2013 01:02 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 7/29/2013 7:04 PM, The Natural Philosopher wrote:
> Further to this thread I THINK I have established a third way to get
> clean binary data into a blob.
> I looked at what phpmyadmin was doing and developed this code.
> ( it's just the relevant fragment. Its a screen to upload a single file
> and some other form stuff and update the SQL record. )
> ====================
> if($_FILES['uploaded_file']['error']!="")
> {
> $havefile=FALSE;
> }
> else
> {
> $code=file_get_contents($_FILES['uploaded_file']['tmp_name']);
> $size=$_FILES['uploaded_file']['size'];
> $filename=$_FILES['uploaded_file']['name'];
> $havefile=TRUE;
> }
> if (($id=get_id())>0) // its an update
> {
> if($havefile)
> $query=sprintf("update adminmodule set uri='%s',
> descr='%s', privilege_level='%d', filename='%s', size='%d', code=0x%s,
> modified_by='%d', modified_on=now() where id='%d'",
> $_POST['uri'],$_POST['descr'],$_POST['privilege_level'],$filename,
> $size, bin2hex($code), $login_id,$id);
> else
> $query=sprintf("update adminmodule set uri='%s',
> descr='%s', privilege_level='%d', modified_by='%d', modified_on=now()
> where id='%d'",
> $_POST['uri'],$_POST['descr'],$_POST['privilege_level'],$login_id,$id);
> mysqli_query($link,$query);
> }
> =======================
> That is, if you have a variable with binary data in it, run bin2hex()
> on it and prepend '0x' to it and throw it at a simple sql update or
> insert statement.
>
> I didnt know MySQL accepted hex data in that form.
>
> Not as efficient as a prepared statement for big objects, but its
> simple to understand. And it avoids load_file.
>
> In this case its optimal. The code is simple, no FILE privileges are
> required. Since inserts and updates are rare things done by a few people
> the inefficiency won't load up the server hugely.
>

A beautiful way to ensure your database gets hacked (not cleaning the
$_POST data before trying to insert into the database).


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Major trouble with PhpDocumentor
Next Topic: Education Path to become a PHP developer using free online courses
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Nov 25 03:47:41 GMT 2024

Total time taken to generate the page: 0.03225 seconds