开发者

Is mysql_real_escape_string() sufficient for a MySQL REGEXP?

Could $user_input in the following code be chosen to make the MySQL query not behave as expected?

<?
$regexp = mysql_real_escape_string( $user_input );
mysql_query( "S开发者_运维技巧ELECT col FROM table WHERE col REGEXP \"$regexp\"" );
?>

I can't use prepared statements, since the SQL string needs to be passed around a bit.

Edit: I'll add that I'm already aware of regex DoS attacks.


This query:

mysql_query("SELECT col FROM table WHERE col REGEXP '$regexp'");

cannot be subverted to do things other than SELECT (I replaced the double quotes with single, since double are a mysql-only extension).

However, if the regexp itself is not in your immediate control, the user might select anything with it -- you should consider the possibility of that being a problem.


No, you're safe there (except for the regex, which can be anything of course).

You would be more efficient (and secure) if you passed the $link_identifier though, because PHP has to know stuff about the database in order to properly escape (encoding for example). So this function does not simply escape the string, but asks mysql how to properly do it.

So passing the link identifier ensures that your string is correctly escaped for the database it is meant for.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜