Re: mysql_real_escape_string paranoid enough?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> I typically do something like this:
>
> $data_sql = mysql_real_escape_string($data, $connection);
> $query = "insert into data(data) values('$data_sql')";
> $insert = mysql_query($query, $connection);
> if (!$insert){
>  trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> My custom error handler logs the mysql error, and displays a nice
> generic "Something went wrong. Please try again or contact us" message
> to the user, wrapped in the page layout, and then exits.
>
> I've just noticed that while the function signature says:
> string mysql_real_escape_string( ...)
>
> The docs say it could return FALSE in case of error.
>
> I'm not real sure what all could cause a FALSE return.
>
> Obviously, if the database server/process/chipmunk has DIED just
> before the call to mysql_real_escape_string, I'll get FALSE back.
>
> If the input string is just too whack for the function to parse, could
> I get FALSE, and then I'd be inserting junk into the DB?
>
> Or is it possible that the function returns FALSE for what is
> obviously a hack attempt?
>
> I guess I'm asking if anybody adds a line like:
>
> if ($data_sql === false){
>  trigger_error(mysql_error($connection), E_USER_ERROR);
> }
>
> Or is that not really going to do anything useful/better than what I
> already have?

yes you could add that condition and it would be helpful if you also
include the value of $data in addtion to mysql_error so you can
examine and figure out what cause it to return FALSE.

also, php manual says this:
mysql_query() will also fail and return FALSE if the user does not
have permission to access the table(s) referenced by the query.

Virgil
http://www.jampmark.com
Free tips, tutorials, innovative tools and techniques useful for
building and improving web sites.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux