开发者

Will mysql real escape string prevent hack? [duplicate]

This question already has answers here: Closed 11 years ago.

Possible Duplicate:

Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?

I am new to PHP and wanted to make sure. If i use mysql_real_escape_string for user generated input (variables), the query won't be hacked?

Sample script:

// Getting Unique ID
$sql = "select `Person_id` from `accounts` where `username` = '$username'";
$query = mysql_query($sql) or die ("Erro开发者_JAVA技巧r: ".mysql_error());
while ($row = mysql_fetch_array($query)){
    $pid = $row['Person_ID'];
}
mysql_free_result($query);
$username = mysql_real_escape_string($_POST['Username']);
$newname = mysql_real_escape_string($_POST['Full_name']);
$newgender = mysql_real_escape_string($_POST['Patient_gender']);
$newmonth = mysql_real_escape_string($_POST['Month']);
$newday = mysql_real_escape_string($_POST['Day']);
$newyear = mysql_real_escape_string($_POST['Year']);
$newacctss = mysql_real_escape_string($_POST['Acct_SS']);
$newaddress = mysql_real_escape_string($_POST['Address']);
$newaddress2 = mysql_real_escape_string($_POST['Address2']);
$newcity = mysql_real_escape_string($_POST['City']);
$newstate = mysql_real_escape_string($_POST['State']);
$newzipcode = mysql_real_escape_string($_POST['Zip_code']);
$newhomephone = mysql_real_escape_string($_POST['Home_phone']);
$newcellphone = mysql_real_escape_string($_POST['Cell_phone']);
$neworkphone = mysql_real_escape_string($_POST['Work_phone']);
$newsure = mysql_real_escape_string($_POST['Sure']);
$newfav = mysql_real_escape_string($_POST['Favorite']);
$newcars = mysql_real_escape_string($_POST['Cars']);
$newdrinks = mysql_real_escape_string($_POST['Drinks']);
$newmoi = mysql_real_escape_string($_POST['About_moi']);

//Update Name Only
$sql = "UPDATE accounts SET `full_name` = '$newname' WHERE Username = '$username'"; 
$query1 = mysql_query($sql) or die ("Error: ".mysql_error());

//Everything else being udpated here 
$sql2 = "UPDATE profile SET `Patient_gender` = '$newgender', 
`Month` = '$newmonth', `Day` = '$newday', `Year` = '$newyear', 
`Acct_SS` = '$newacctssn', `Address` = '$newaddress', 
`Address2` = '$newaddress2', `City` = '$newcity', `State` = '$newstate', 
`Zip_code` = '$newzipcode', `Home_phone` = '$newhomephone', 
`Cell_phone` = '$cellphone', `Work_phone` = '$neworkphone', 
`Sure` = '$newsure', `Favorite` = '$newfav', `Cars` = '$newcars', 
`Drinks` = '$newdrinks', `About_moi` = '$newmoi' WHERE Person_id = '$pid'"; 
$query2 = mysql_query($sql2) or die ("Error: ".mysql_error());


Don't use straight mysql. Use the mysqli(notice the i) or PDO library and use prepared statements. Using prepared statements is more secure than using straight queries and including the variable in the query string.

According to the PHP documentation, mysql will be deprecated. It is no longer underdevelopment and the mysqli and PDO extensions should be used instead.


You're pretty safe if your using both quotes and mysql_real_escape_string. You may want to look at PDO or at least mysqli for other reasons.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜