Jump to content
Larry Ullman's Book Forums

Recommended Posts

Dear Larry,

 

I am the customer who purchase your book PHP and MySql for Dynamic Website 4th edition. Now I read chapter 9 and reach the section of Ensure Secure SQL.

 

I found that we will use function mysqli_real_escape_string for a security reason. If you have a book in your hand please open to page 287 and read the line 40.

 

$p = mysqli_real_escape_string($dbc, trim($_POST['pass1']));

 

From here I have a question. We use the mysqli_real_escape_string function to secure sql, so it mean some character might now allow to enter because of security reason. But in form password, user can choose any character that they need (alphabet, number, symbol...) in order to make password difficult to crack. If we use this function, what happend if user need ot use the character that they need and will impact to sql security? How many character will not be allow to use when using mysqli_real_escape_string function?

 

Thank,

Kanel

 

Share this post


Link to post
Share on other sites

Hello Kanel. So if the user entered a password that contained an apostrophe, that could break the query. So mysqli_real_escape_string() will escape that apostrophe by prefacing it with a slash. So abc'123 becomes abc\'123. This makes the value safe to use in the query, and what actually gets stored is just abc'123 (the slash drops off and isn't stored). 

 

Then, when the user logs in, they provided abc'123, mysqli_real_escape_string() again converts that to abc\'123, which again is safe to use in a query (and will match what was previously stored).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...