Some dude challenged me to sql-inject his code. He said the PHP function in the title should suffice for this case.
$var = 'my malevolent input will be in here';
$var = mysql_real_escape_string($var);
$sql = "SELECT * FROM `users` WHERE `id` = '$var'";
mysql_query($sql);
I can't seem to bypass the single-quote escaping. What should I use as a value for $var? Can I use something?
Thanks, as al开发者_Python百科ways
No, using mysql_real_escape_string is considered to be safe for any input unless the character encoding is not set properly by using mysql_client_encoding.
While there may be esoteric exploits in certain server versions under certain conditions and such, as far as I know, using mysql_real_escape_string() in this way is generally considered safe.
You have an error in code:
$sql = "SELECT * FROM 'users' WHERE 'id' = '$var'";
Should be
$sql = "SELECT * FROM 'users' WHERE 'id' = '".$var."'";
If you a not sure if id is an integer or a string.
If you are sure that id is always an integer, then:
$sql = "SELECT * FROM 'users' WHERE 'id' = ".intval($var)
And you will be safe with mysql_real_escape_string(); ^_^
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论