mysql_real_escape_string

It escapes special characters in a string for use in a SQL statement. The function calls MYSQL's library function mysql_real_escape_string, which prepends backslashes to the following characters : \x00, \n, \r, \, ', " and \x1a.

The function must always be used to make data safe before sending a query to MYSQL. It saves us from the possiblity of SQL Injection Attack. This is how someone can login without knowing the password.

	// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'aidan';
$_POST['password'] = "' OR ''='";

// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);

// This means the query sent to MySQL would be:
echo $query;
	// To save our database from SQL injection, we can check the data before sending it as query.
	$user = mysql_real_escape_string($_POST['username']);
	$pass = mysql_real_escape_string($_POST['password']);
	// This will not allow the user to login anymore

Hope , we can handle our database now, so move to application part of PHP

Member Login

Member Login




Not a Member? Sign Up!




Login to comment

Be the first to comment on this topic







  


<<< Wanna review

Continue >>>