php - Mysqli and escape strings? -


this question has answer here:

i beginning process of coverting of mysql mysqli.

i have been doing research on find bit confusing.

i have 2 questions @ point regarding matter:

1) mean "escape" string , code go? assume goes on page database login credentials.

i found following find hard interpret:

"we'll use mysqli_real_escape_string() function. since needs database connection, we'll go ahead , wrap in own function. in addition, since need escape strings, might quote value @ same time:"

`

 function db_quote($value) {     $connection = db_connect();     return "'" . mysqli_real_escape_string($connection,$value) . "'";     } 

` "if not sure of type of value pass database, it's best treat string, escape , quote it. let's @ common example - form submission. we'll use our previous insert query user input:"

`

// quote , escape form submitted values $name = db_quote($_post['username']); $email = db_quote($_post['email']); // insert values database $result = db_query("insert `users` (`name`,`email`) values (" . $name . "," . $email . ")"); 

` 2) after have set in code, how test indeed working (without completly wiping out tables, etc?)

i need further explanations on subject before begin process.

any resources, advice, or pointers in right direction appreciated.

escaping string means converting characters treated special in query literal characters. example single quote. has special meaning in query, , attackers can use alter functionality of query bypass security. escaping character makes non-functional part of query such contributes string value. details on can found studying sql injection attacks.

as goes, anytime build query uncontrolled values, values should escaped.

**after have set in code, how test indeed working (without completly wiping out tables, etc?)** 

my preference combination of extracting final query manual testing, , extensive use of test database integrity of production database isn't affected during development.


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -