Webmaster Security

Security - Ubuntu [LINUX] and others

Submitted by CryptAlchemy, , Thread ID: 5140

Thread Closed

RE: Security - Ubuntu [LINUX] and others

Remi
Junior Member
Level:
0
Reputation:
18
Posts:
55
Likes:
8
Credits:
13
30-07-2015, 11:10 PM
#8
18-07-2015, 11:59 PM
Crg97 Wrote: Is mysqli_real_escape_string safe?

Fuck the dude that told you to google it.
The definition of the function - Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.

Which means, in a situation like this:

Code:
$id = "' or 1=1-- -'";
$x = $con->query("SELECT * FROM cats WHERE id='".mysqli_real_escape_string($id)."'");
The function will work as intended, and you cannot do anything, because you cant escape the quotes. - '
But, if it's like this:

Code:
$id = "1 or 1=1";
$x = $con->query("SELECT * FROM cats WHERE id=".mysqli_real_escape_string($id));

This will not do anything, since there arent any special characters in $id, but is still an SQLi and you can do everything that you can do with a string-based SQLi.

Users browsing this thread: 1 Guest(s)