My PHP application has a query that takes a md5 hash as an input, from a user via GET method, then it applies $mysqli->real_escape_string() to it. After that it runs the SELECT statement.
How safe that function is? is it possible to SQL inject it or XSS it?
分享 This is safe. If you dont feel safe, it only has characters and integers, you can easily test it is a md5 string (see example below). But again, there is no need for all of that.
An alternative would be prepared statements. They're a bit more complex, but safe:
$stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)");
$stmt->bind_param("s", 'a1b2c3'); // s stands for String, i would be Integer
$stmt->execute();
This is a very simplefied example, the url above the codeblock explains more. Keep in mind that prepared statement have a overhead! doing this for 1 excecution per query will slow things down.
Small example to check if a string could be a md5 hash:
function isMd5($string){
/// md5 strings are 32chars* long. Simple test, do that first:
if( strlen($string)!==32){ return false; }
// It only has chars (A-F) and integers, if any other character->not md5
elseif( preg_match("^[0-9a-f]", $string) ){ return false; }
// No errors, return true:
return true;
}
// *rawmode ha 16 chars, but when you work with that, you'll know
This is not a very usefull function, because it will not really secure a lot, this is just to show you how you can verify info. You read the documentation to see the results, and make checks to test if it matches possible results.
分享
