Backend Development
PHP Tutorial
The mysql_real_escape_string() function is handled differently in different versions of PHP!
The mysql_real_escape_string() function is handled differently in different versions of PHP!
Jul 06, 2016 pm 01:53 PM
It was found that mysql_real_escape_string() behaves differently in different php versions. When I read security development documents online, the document said that before using mysql_real_escape_string() correctly, you need to specify the mysql connection character set, that is, use the mysql_set_charset() function. If the character set is not specified and the character encoding used is a wide character similar to GBK, it may cause Wide character injection.
Here I did a small experiment. I only used mysql_real_escape_string() and did not use the mysql_set_charset() function to specify the current connection character set. When the PHP version is 5.2.17, the wide character injection can be successful; when the PHP version is 5.3 At .29, wide character injection failed. Check the mysql log and it shows that wide characters have also been escaped.
Code:
<code>$conn = mysql_connect('localhost', 'root', 'root') or die('bad!');
mysql_query("SET NAMES 'GBK'");
mysql_select_db('test', $conn) OR emMsg("連接數(shù)據(jù)庫(kù)失敗,未找到您填寫的數(shù)據(jù)庫(kù)");
if(get_magic_quotes_gpc()){
$id = isset($_GET['id']) ? mysql_real_escape_string(stripslashes($_GET['id'])) : 1;
}else{
$id = isset($_GET['id']) ? mysql_real_escape_string($_GET['id']) : 1;
}
//執(zhí)行sql語句
$sql = "SELECT * FROM news WHERE tid='{$id}'";
$result = mysql_query($sql, $conn) or die(mysql_error());
?></code>
mysql log when using php version 5.2.17:
<code> 2 Query SET NAMES 'GBK'
2 Init DB test
2 Query SELECT * FROM news WHERE tid='-1?' union select null,concat(name,0x40,pass),null from admin#'
2 Quit</code>
mysql log when using php version 5.3.29:
<code> 1 Query SET NAMES 'GBK'
1 Init DB test
1 Query SELECT * FROM news WHERE tid='-1\?' union select null,concat(name,0x40,pass),null from admin#'
1 Quit </code>
My question here is, is it not necessary to use mysql_set_charset() to specify the connection character set when the PHP version is 5.3.29? How to judge if it is not needed! ! ! !
Reply content:
It was found that mysql_real_escape_string() behaves differently in different php versions. When I read security development documents online, the document said that before using mysql_real_escape_string() correctly, you need to specify the mysql connection character set, that is, use the mysql_set_charset() function. If the character set is not specified and the character encoding used is a wide character similar to GBK, it may cause Wide character injection.
Here I did a small experiment. I only used mysql_real_escape_string() and did not use the mysql_set_charset() function to specify the current connection character set. When the PHP version is 5.2.17, the wide character injection can be successful; when the PHP version is 5.3 At .29, wide character injection failed. Check the mysql log and it shows that wide characters have also been escaped.
Code:
<code>$conn = mysql_connect('localhost', 'root', 'root') or die('bad!');
mysql_query("SET NAMES 'GBK'");
mysql_select_db('test', $conn) OR emMsg("連接數(shù)據(jù)庫(kù)失敗,未找到您填寫的數(shù)據(jù)庫(kù)");
if(get_magic_quotes_gpc()){
$id = isset($_GET['id']) ? mysql_real_escape_string(stripslashes($_GET['id'])) : 1;
}else{
$id = isset($_GET['id']) ? mysql_real_escape_string($_GET['id']) : 1;
}
//執(zhí)行sql語句
$sql = "SELECT * FROM news WHERE tid='{$id}'";
$result = mysql_query($sql, $conn) or die(mysql_error());
?></code>
mysql log when using php version 5.2.17:
<code> 2 Query SET NAMES 'GBK'
2 Init DB test
2 Query SELECT * FROM news WHERE tid='-1?' union select null,concat(name,0x40,pass),null from admin#'
2 Quit</code>
mysql log when using php version 5.3.29:
<code> 1 Query SET NAMES 'GBK'
1 Init DB test
1 Query SELECT * FROM news WHERE tid='-1\?' union select null,concat(name,0x40,pass),null from admin#'
1 Quit </code>
My question here is, is it not necessary to use mysql_set_charset() to specify the connection character set when the PHP version is 5.3.29? How to judge if it is not needed! ! ! !
This has nothing to do with the PHP version. The mysql and mysqli extensions are developed directly using C language, and the third-party library of mysql is also provided through the C API.
So, this should be related to the version of mysql.dll, which is the version of mysql lib.
The extended version of mysql can be obtained using the mysql_get_client_info() function.
As for your question, you can refer to the MySQL developer manual: 23.8.7.53 mysql_real_escape_string()
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Why We Comment: A PHP Guide
Jul 15, 2025 am 02:48 AM
PHPhasthreecommentstyles://,#forsingle-lineand/.../formulti-line.Usecommentstoexplainwhycodeexists,notwhatitdoes.MarkTODO/FIXMEitemsanddisablecodetemporarilyduringdebugging.Avoidover-commentingsimplelogic.Writeconcise,grammaticallycorrectcommentsandu
How to Install PHP on Windows
Jul 15, 2025 am 02:46 AM
The key steps to install PHP on Windows include: 1. Download the appropriate PHP version and decompress it. It is recommended to use ThreadSafe version with Apache or NonThreadSafe version with Nginx; 2. Configure the php.ini file and rename php.ini-development or php.ini-production to php.ini; 3. Add the PHP path to the system environment variable Path for command line use; 4. Test whether PHP is installed successfully, execute php-v through the command line and run the built-in server to test the parsing capabilities; 5. If you use Apache, you need to configure P in httpd.conf
PHP Syntax: The Basics
Jul 15, 2025 am 02:46 AM
The basic syntax of PHP includes four key points: 1. The PHP tag must be ended, and the use of complete tags is recommended; 2. Echo and print are commonly used for output content, among which echo supports multiple parameters and is more efficient; 3. The annotation methods include //, # and //, to improve code readability; 4. Each statement must end with a semicolon, and spaces and line breaks do not affect execution but affect readability. Mastering these basic rules can help write clear and stable PHP code.
Your First PHP Script: A Practical Introduction
Jul 16, 2025 am 03:42 AM
How to start writing your first PHP script? First, set up the local development environment, install XAMPP/MAMP/LAMP, and use a text editor to understand the server's running principle. Secondly, create a file called hello.php, enter the basic code and run the test. Third, learn to use PHP and HTML to achieve dynamic content output. Finally, pay attention to common errors such as missing semicolons, citation issues, and file extension errors, and enable error reports for debugging.
What is PHP and What is it Used For?
Jul 16, 2025 am 03:45 AM
PHPisaserver-sidescriptinglanguageusedforwebdevelopment,especiallyfordynamicwebsitesandCMSplatformslikeWordPress.Itrunsontheserver,processesdata,interactswithdatabases,andsendsHTMLtobrowsers.Commonusesincludeuserauthentication,e-commerceplatforms,for
PHP 8 Installation Guide
Jul 16, 2025 am 03:41 AM
The steps to install PHP8 on Ubuntu are: 1. Update the software package list; 2. Install PHP8 and basic components; 3. Check the version to confirm that the installation is successful; 4. Install additional modules as needed. Windows users can download and decompress the ZIP package, then modify the configuration file, enable extensions, and add the path to environment variables. macOS users recommend using Homebrew to install, and perform steps such as adding tap, installing PHP8, setting the default version and verifying the version. Although the installation methods are different under different systems, the process is clear, so you can choose the right method according to the purpose.
How Do You Handle File Operations (Reading/Writing) in PHP?
Jul 16, 2025 am 03:48 AM
TohandlefileoperationsinPHP,useappropriatefunctionsandmodes.1.Toreadafile,usefile_get_contents()forsmallfilesorfgets()inaloopforline-by-lineprocessing.2.Towritetoafile,usefile_put_contents()forsimplewritesorappendingwiththeFILE_APPENDflag,orfwrite()w
python if else example
Jul 15, 2025 am 02:55 AM
The key to writing Python's ifelse statements is to understand the logical structure and details. 1. The infrastructure is to execute a piece of code if conditions are established, otherwise the else part is executed, else is optional; 2. Multi-condition judgment is implemented with elif, and it is executed sequentially and stopped once it is met; 3. Nested if is used for further subdivision judgment, it is recommended not to exceed two layers; 4. A ternary expression can be used to replace simple ifelse in a simple scenario. Only by paying attention to indentation, conditional order and logical integrity can we write clear and stable judgment codes.
