Using PHP 5.2.6 in XAMPP :
I read about sql injections here and tried that with the following login form :
and php code :
$user = $_POST['user'];
$pass = $_POST['pass'];
$query = "Select * from users where user='$user' AND pass='$pass'";
echo $query;
mysql_connect('localhost','root','');
mysql_select_db('test');
$res = mysql_query($query);
if($res) $row = mysql_fetch_assoc($res);
if($row) echo 'yes';
?>
What I found out was, the $pass variable already had all the special characters escaped.
So, is there no need to use the mysql_real_escape_string in PHP 5.2.6 then?
Answer
It is likely your PHP server is configure to use Magic Quotes. A deprecated setting in PHP that automatically escapes all incoming data in a PHP script. It's deprecated and will be removed in PHP 6. Here are Zend's reasons for removing Magic Quotes.
It's better to not rely on 'magic' that makes many things work but breaks others. Explicitly escaping your input is more reliable and makes you design better code. For example, not all input needs to be escaped in the same way.
No comments:
Post a Comment