| Re: is mysqli_real_escape_string bullet proof with binary data? [message #182301 is a reply to message #182293] |
Sat, 27 July 2013 23:44   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 7/27/2013 11:22 AM, Luuk wrote:
> On 27-07-2013 16:36, The Natural Philosopher wrote:
>> On 27/07/13 14:28, Luuk wrote:
>>> On 27-07-2013 13:08, The Natural Philosopher wrote:
>>>> On 27/07/13 10:45, Luuk wrote:
>>>> > On 27-07-2013 11:31, The Natural Philosopher wrote:
>>>> >> The target is to create and store thumbnail PNG images in a Mysql
>>>> >> table.
>>>> >> Also any tips on actually getting the thumbnail data into a
>>>> >> variable -
>>>> >> which package is recommended? I've always used GD, but never been
>>>> >> 100%
>>>> >> happy with it
>>>> >>
>>>> >
>>>> > As far as the subject goes, i would say:
>>>> > DO NOT TOUCH binary data.....
>>>> >
>>>> > Simply store it, or not, in your database.....
>>>> Well exactly. the question is how to get it in there reliably using the
>>>> PHP API.
>>>>
>>>>
>>>
>>>
>>> When reading file contents, i see no need to do a mysqli_real_escape.
>>>
>>> <?php
>>> $link = mysqli_connect("localhost","test","test","test") or
>>> die("Error " . mysqli_error($link));
>>>
>>> $query = "CREATE TABLE `testpng` ( `id` int(11) NOT NULL
>>> AUTO_INCREMENT, `image` blob, PRIMARY KEY (`id`))";
>>> $result = $link->query($query);
>>>
>>> if (!$result) { echo "Could not create table....\n"; exit; } else {
>>> $stmt = $link->prepare("INSERT INTO testpng (image) VALUES (?)");
>>> $file = file_get_contents('upArrow.png');
>>> echo "Size before: ".strlen($file)."<br>\n";
>>> $stmt->bind_param('s', $file);
>>> $stmt->execute();
>>> printf("%d Row inserted.\n", $stmt->affected_rows);
>>> $stmt->close();
>>>
>>> $stmt = $link->query("SELECT image FROM testpng;");
>>> $row = $stmt->fetch_object();
>>> $file = $row->image;
>>> echo "Size before: ".strlen($file)."<br>\n";
>>> }
>>> ?>
>> ..and hope that the file 'upArrow.png' does not contain a ['] or three?
>>
>
> luuk@opensuse:~/public_html/temp> grep "'" upArrow.png
> Binary file upArrow.png matches
>
> luuk@opensuse:~/public_html/temp> hexdump -C upArrow.png | grep "'"
> 00000110 53 00 a0 04 00 60 cb 63 62 e3 00 50 2d 00 60 27
> |S....`.cb..P-.`'|
> 00000260 00 b0 6a 3e 01 7b 91 2d a8 5d 63 03 f6 4b 27 10
> |..j>.{.-.]c..K'.|
> 000003a0 51 c2 27 22 93 a8 4b b4 26 ba 11 f9 c4 18 62 32
> |Q.'"..K.&.....b2|
> 000003c0 37 24 12 89 43 32 27 b9 90 02 49 b1 a4 54 d2 12
> |7$..C2'...I..T..|
> 00000530 fb 81 0e 41 c7 4a 27 5c 27 47 67 8f ce 05 9d e7
> |...A.J'\'Gg.....|
> 00000720 0e 85 50 7e e8 d6 d0 07 61 e6 61 8b c3 7e 0c 27
> |..P~....a.a..~.'|
> 000007c0 91 bc 35 79 24 c5 33 a5 2c e5 b9 84 27 a9 90 bc
> |..5y$.3.,...'...|
> 000009e0 dd bd f3 7a 6f f7 c5 f7 f5 df 16 dd 7e 72 27 fd
> |...zo.......~r'.|
> 000009f0 ce cb bb d9 77 27 ee ad bc 4f bc 5f f4 40 ed 41
> |....w'...O._.@.A|
>
>
> Yes it does, but who cares?
>
> Are you really that afraid for code-insertion, that you fail to know
> that this cannot go wrong?
>
> Or can you explain me how i can kill my database with this?
>
Insert the data without using prepared statements or
mysql_real_escape_string(). Then don't check the return code.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]