¿Es necesario usar mi 'sql_real_escape_string' al seleccionar en MySQL? [duplicar]

I'm following a tutorial, Creating a Secure Login System the Right Way, about how to create a login system. In the code they use mysql_real_escape_string on the username field before passing it to the database as a query, that is,

$username = mysql_real_escape_string($username);

Is this necessary since I am not adding anything to the database, I am simply checking if this user already exists?

The reason I am not just leaving it in anyway is when I use the above code, it renders my text blank and so is sending an empty string to the database. I don't know why this is, so I thought, if I could leave it out, I would.

Below is for advice about database connection being open from a commenter (passwords, etc. been changed):

function dbConnect(){
    $connection = mysql_connect('localhost', 'username', 'password');
    $database=mysql_select_db('database', $connection);

    return $connection;

$username = $_POST['username'];
$password = $_POST['password'];
$password = md5($password);

$username = mysql_real_escape_string($username);

$query = mysql_query("SELECT *
      FROM members
      WHERE username = '$username'
      AND password = '$password'",dbConnect());

preguntado el 02 de mayo de 12 a las 19:05

your query can be canceled or marked as a comment and another one could be attached due to that. also nested queries (subqueries) might work, so every data passed via sql that comes from outer sources should be validated and/or sanitized. -

Ok thanks. Can you please answer the second part please why it renders my string empty? -

mysql_real_escape_string() would only return blank if $username were blank. The problem lies elsewhere. -

It's not blank, I do an echo on $username before doing $username = mysql_real_escape_string($username) and it returns a value, after that it doesn't -

mysql real escape string needs an open mysql connection and defaults to false on errors. is there a php warning? -

3 Respuestas

Es posible que desee utilizar DOP con declaraciones preparadas. Prepared statements are like placeholders in an SQL query and you're later on shipping the data that will then be inserted on those places. This makes escaping strings obsolete.

As I've already mentioned in the comments above: every SQL query with user input is vulnerable to inyección SQL ataques.

Respondido el 23 de Septiembre de 12 a las 19:09

The proper code is:

$username = mysql_real_escape_string($_POST['username']);
$password = md5($_POST['password']);

$sql = "SELECT * FROM members WHERE username = '$username' AND password = '$password'";
$res = mysql_query($sql) or trigger_error(mysql_error().$sql);

Respondido el 23 de Septiembre de 12 a las 19:09

thats great thank you, it works now. I wasn't sure about the connection bit, I thought the mysql_query function had to include the database connection - Claro

@Nicola it could use an explicit connection too. You could use una variable to store a connection and use it with mysql_connect(). Otherwise las opened connection will be used - Tu sentido común

right, I think I need to do some reading up on connections and different ways to connect - Claro

Yes it is necessary because the username could contain special character not allowed in SQL that need to be escaped like ' or / por ejemplo


Sin escapar ' in the username McDonald's would lead to an illegal SQL statement:

select * from your_table where username = 'McDonald's'

contestado el 02 de mayo de 12 a las 19:05

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.