| Re: is mysqli_real_escape_string bullet proof with binary data? [message #182350 is a reply to message #182349] |
Tue, 30 July 2013 01:02   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 7/29/2013 7:04 PM, The Natural Philosopher wrote:
> Further to this thread I THINK I have established a third way to get
> clean binary data into a blob.
> I looked at what phpmyadmin was doing and developed this code.
> ( it's just the relevant fragment. Its a screen to upload a single file
> and some other form stuff and update the SQL record. )
> ====================
> if($_FILES['uploaded_file']['error']!="")
> {
> $havefile=FALSE;
> }
> else
> {
> $code=file_get_contents($_FILES['uploaded_file']['tmp_name']);
> $size=$_FILES['uploaded_file']['size'];
> $filename=$_FILES['uploaded_file']['name'];
> $havefile=TRUE;
> }
> if (($id=get_id())>0) // its an update
> {
> if($havefile)
> $query=sprintf("update adminmodule set uri='%s',
> descr='%s', privilege_level='%d', filename='%s', size='%d', code=0x%s,
> modified_by='%d', modified_on=now() where id='%d'",
> $_POST['uri'],$_POST['descr'],$_POST['privilege_level'],$filename,
> $size, bin2hex($code), $login_id,$id);
> else
> $query=sprintf("update adminmodule set uri='%s',
> descr='%s', privilege_level='%d', modified_by='%d', modified_on=now()
> where id='%d'",
> $_POST['uri'],$_POST['descr'],$_POST['privilege_level'],$login_id,$id);
> mysqli_query($link,$query);
> }
> =======================
> That is, if you have a variable with binary data in it, run bin2hex()
> on it and prepend '0x' to it and throw it at a simple sql update or
> insert statement.
>
> I didnt know MySQL accepted hex data in that form.
>
> Not as efficient as a prepared statement for big objects, but its
> simple to understand. And it avoids load_file.
>
> In this case its optimal. The code is simple, no FILE privileges are
> required. Since inserts and updates are rare things done by a few people
> the inefficiency won't load up the server hugely.
>
A beautiful way to ensure your database gets hacked (not cleaning the
$_POST data before trying to insert into the database).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]