As it says in the title , how can I tell if the mysql_real_escape_string is working h开发者_运维技巧ow it should without waiting to be hacked ?
Check the values you get back from it.
Send it some text that it should escape, such as Ed O'Neil
(Which should come back as Ed O''Neil
or Ed O\'Neil
)
Create a unit test that sends it all characters it should escape and checks it output.
BUT: Why don't you simply use parameterized queries with PDO? Like:
$dbh = new PDO([...]);
$sth = $dbh->prepare("SELECT foo FROM bar WHERE baz=:baz");
$sth->execute(array(":baz" => $mybaz));
It is the safest way and thanks to PDO it's nearly as easy as in Perl.
To expand on what 'R. Bemrose' offered, here is some sample code to do just that. Be sure to replace the mysql credentials with your own.
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
$user = "Ed O'Neil";
$password = "SQL_INJECTION ';'alter table xyz';";
// Query
$query_safe= sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
// Query
$query_not_safe= sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
$user,
$password);
echo $query_safe."\n";
echo $query_not_safe;
?>
精彩评论