Geek asks and answers

Why doesn't mysql_real_escape_string consider these characters dangerous?

I learn how to sanitize my forms and know that using the PHP function mysql_real_escape_string()helps to avoid characters that are considered “dangerous” or violate the syntax of your SQL. I tested it and noticed that it does not escape a sequence of characters, such as --or /* */. Are these comments in SQL and cannot they violate the syntax of the statement? How would you pass on these and other items that mysql_real_escape_string()do not cover and truly disinfect your forms?

+3
source share
3 answers

They will never violate the SQL statement, since they will never break out of the string, and therefore your string will remain intact, protecting you from any unpleasant injections.

This does not mean that you do not want to remove them from the string. From a MySQL perspective, they are safe, but depending on your application, this may not be the case.

+5
source

Always surround the parameters with quotation marks and you will be safe. Inside quotation marks --and /* */do not really matter.

+3
source

mysql_real_escape_string() , MySQL , . , .

For example, a backslash ( \) and a single quote ( ') are used to build a query (and then exit), but there is no forward slash. The structures you mentioned have context outside of the quoted value, but since they are quoted (and correctly exit), they will not adversely affect the request.

0
source

More articles:


All Articles