Jump to content
Larry Ullman's Book Forums

Recommended Posts

Dear Larry,

 

I am the customer who purchase your book PHP and MySql for Dynamic Website 4th edition. Now I read chapter 9 and reach the section of Ensure Secure SQL.

 

I found that we will use function mysqli_real_escape_string for a security reason. If you have a book in your hand please open to page 287 and read the line 40.

 

$p = mysqli_real_escape_string($dbc, trim($_POST['pass1']));

 

From here I have a question. We use the mysqli_real_escape_string function to secure sql, so it mean some character might now allow to enter because of security reason. But in form password, user can choose any character that they need (alphabet, number, symbol...) in order to make password difficult to crack. If we use this function, what happend if user need ot use the character that they need and will impact to sql security? How many character will not be allow to use when using mysqli_real_escape_string function?

 

Thank,

Kanel

 

Link to comment
Share on other sites

Hello Kanel. So if the user entered a password that contained an apostrophe, that could break the query. So mysqli_real_escape_string() will escape that apostrophe by prefacing it with a slash. So abc'123 becomes abc\'123. This makes the value safe to use in the query, and what actually gets stored is just abc'123 (the slash drops off and isn't stored). 

 

Then, when the user logs in, they provided abc'123, mysqli_real_escape_string() again converts that to abc\'123, which again is safe to use in a query (and will match what was previously stored).

Link to comment
Share on other sites

 Share

×
×
  • Create New...