Will mysql real escape string prevent hack? [duplicate]_问答_开发者

Will mysql real escape string prevent hack? [duplicate]

开发者 https://www.devze.com 2023-04-12 02:03 出处：网络

This question already has answers here: Closed 11 years ago. Possible Duplicate: Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?

This question already has answers here: Closed 11 years ago.

Possible Duplicate:
Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?

I am new to PHP and wanted to make sure. If i use mysql_real_escape_string for user generated input (variables), the query won't be hacked?

Sample script:

// Getting Unique ID
$sql = "select `Person_id` from `accounts` where `username` = '$username'";
$query = mysql_query($sql) or die ("Erro开发者_JAVA技巧r: ".mysql_error());
while ($row = mysql_fetch_array($query)){
    $pid = $row['Person_ID'];
}
mysql_free_result($query);
$username = mysql_real_escape_string($_POST['Username']);
$newname = mysql_real_escape_string($_POST['Full_name']);
$newgender = mysql_real_escape_string($_POST['Patient_gender']);
$newmonth = mysql_real_escape_string($_POST['Month']);
$newday = mysql_real_escape_string($_POST['Day']);
$newyear = mysql_real_escape_string($_POST['Year']);
$newacctss = mysql_real_escape_string($_POST['Acct_SS']);
$newaddress = mysql_real_escape_string($_POST['Address']);
$newaddress2 = mysql_real_escape_string($_POST['Address2']);
$newcity = mysql_real_escape_string($_POST['City']);
$newstate = mysql_real_escape_string($_POST['State']);
$newzipcode = mysql_real_escape_string($_POST['Zip_code']);
$newhomephone = mysql_real_escape_string($_POST['Home_phone']);
$newcellphone = mysql_real_escape_string($_POST['Cell_phone']);
$neworkphone = mysql_real_escape_string($_POST['Work_phone']);
$newsure = mysql_real_escape_string($_POST['Sure']);
$newfav = mysql_real_escape_string($_POST['Favorite']);
$newcars = mysql_real_escape_string($_POST['Cars']);
$newdrinks = mysql_real_escape_string($_POST['Drinks']);
$newmoi = mysql_real_escape_string($_POST['About_moi']);

//Update Name Only
$sql = "UPDATE accounts SET `full_name` = '$newname' WHERE Username = '$username'"; 
$query1 = mysql_query($sql) or die ("Error: ".mysql_error());

//Everything else being udpated here 
$sql2 = "UPDATE profile SET `Patient_gender` = '$newgender', 
`Month` = '$newmonth', `Day` = '$newday', `Year` = '$newyear', 
`Acct_SS` = '$newacctssn', `Address` = '$newaddress', 
`Address2` = '$newaddress2', `City` = '$newcity', `State` = '$newstate', 
`Zip_code` = '$newzipcode', `Home_phone` = '$newhomephone', 
`Cell_phone` = '$cellphone', `Work_phone` = '$neworkphone', 
`Sure` = '$newsure', `Favorite` = '$newfav', `Cars` = '$newcars', 
`Drinks` = '$newdrinks', `About_moi` = '$newmoi' WHERE Person_id = '$pid'"; 
$query2 = mysql_query($sql2) or die ("Error: ".mysql_error());

Don't use straight mysql. Use the mysqli(notice the i) or PDO library and use prepared statements. Using prepared statements is more secure than using straight queries and including the variable in the query string.

According to the PHP documentation, mysql will be deprecated. It is no longer underdevelopment and the mysqli and PDO extensions should be used instead.

You're pretty safe if your using both quotes and mysql_real_escape_string. You may want to look at PDO or at least mysqli for other reasons.