Webmaster Security

Security - Ubuntu [LINUX] and others

Submitted by CryptAlchemy, 28-06-2015, 12:19 AM, Thread ID: 5140

Thread Closed

bagon.is

30-07-2015, 11:10 PM

#8

18-07-2015, 11:59 PM
Crg97 Wrote: Is mysqli_real_escape_string safe?

Fuck the dude that told you to google it.
The definition of the function - Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.

Which means, in a situation like this:

Code:
$id = "' or 1=1-- -'";
 $x = $con->query("SELECT * FROM cats WHERE id='".mysqli_real_escape_string($id)."'");

The function will work as intended, and you cannot do anything, because you cant escape the quotes. - '
But, if it's like this:

Code:
$id = "1 or 1=1";
 $x = $con->query("SELECT * FROM cats WHERE id=".mysqli_real_escape_string($id));

This will not do anything, since there arent any special characters in $id, but is still an SQLi and you can do everything that you can do with a string-based SQLi.

Users browsing this thread: 1 Guest(s)