Asked  7 Months ago    Answers:  5   Viewed   34 times

Some people believe that mysql_real_escape_string() has some flaws and cannot protect your query even when properly used.
Bringing some fossilized articles as a proof.

So, the question is: is mysql[i]_real escape_string() totally unacceptable?
Or is it's still possible to use this function to create your own kind of prepared statements?

With proofcode, please.

 Answers

75

From the MySQL’s C API function mysql_real_escape_string description:

If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.

So don’t use SET NAMES/SET CHARACTER SET but PHP’s mysql_set_charset to change the encoding as that is the counterpart to MySQL’s mysql_set_character_set (see source code of /ext/mysql/php_mysql.c).

Wednesday, March 31, 2021
 
ranhan
answered 7 Months ago
51

Did you set the exception mode for PDO with:

$DBH->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

Update: check is mysql reserved words, you need to escape it.

$STH = $DBH->prepare('UPDATE accounts SET `check` = :check_amnt WHERE accnt = :user');
Saturday, May 29, 2021
 
Asher
answered 5 Months ago
93

There is no way in CSS specs or drafts, but Firefox has a proprietary selector (pseudo-class) :-moz-broken. Its documentation is very concise and it says “intended for use mainly by theme developers”, but it can be used e.g. as follows:

:-moz-broken { outline: solid red }
:-moz-broken:after { content: " (broken image)" }

Although the documentation says that it “matches elements representing broken image links”, it actually matches broken images (an img element where the src attribute does not refer to an image), whether they are links or not. Presumably, “links” really means “references” here.

CSS 2.1 says: “This specification does not fully define the interaction of :before and :after with replaced elements (such as IMG in HTML). This will be defined in more detail in a future specification.” But Selectors Level 3 (CSS3 Selectors) just says about them: “They are explained in CSS 2.1.” In practice, browsers handle them differently. Oddly enough, Firefox supports :-moz-broken:after but ignores :-moz-broken:before. It does not support either of these pseudo-elements for normal images, but img:after, too, is supported for a broken image (i.e., the specified content appears after the alt attribute value).

Friday, August 6, 2021
 
c_k
answered 3 Months ago
c_k
71

This is because you are using relative paths to your resources (CSS, JS and image files). You need to use either root-relative (starting with a slash) or absolute URLs.

Alternatively, use a base element in the head section that tells the browser what the relative URLs are relative to. For example:

<base href="http://example.com/">

(Note, however, that there are caveats when using the base tag if you have in-page anchors eg. href="#top" or need to support IE6?!)

However, if you type in a different path http://example.com/another/test.html the 404 page comes up as well but the links to the css and images are broken.

For example, a URL like css/normalize.css in the page at this address will resolve to http://example.com/another/css/normalize.css, when you are expecting it to be relative to the document root.

In addition, the URL occasionally resolves to http://example.com/example.com/kontakt having the actual domain example.com in there.

This sounds like you are missing the scheme from some of your links, for example:

<a href="example.com/kontakt">Link Text</a>

Whereas it should be:

<a href="http://example.com/kontakt">Link Text</a>

Or, protocol relative:

<a href="//example.com/kontakt">Link Text</a>

See also my answer to this question over on the Pro Webmasters stack: https://webmasters.stackexchange.com/questions/86450/htaccess-rewrite-url-leads-to-missing-css

Saturday, August 7, 2021
 
Daveel
answered 3 Months ago
38

Does MySQL automatically escape their output or something like that, or should I escape in the second query as well?

You need to escape in the second query as well. MySQL does not do any escaping on its output.

Long answer: MySQL string escaping does not modify the string that is being inserted, it just makes sure it doesn't do any harm in the current query. Any SQL injection attempt still remains in the data.

Monday, August 9, 2021
 
Mountains
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :