kegunaan mysql_real_escape_string() ?
resa edan sitik · Nov 26, 2012
maksud dan kegunaan dari mysql_real_escape_string() itu apanya, terus dari kegunaanya dalam keamanan web seberapa penting mysql_real_escape_string() itu.
sekalian minta contoh source code dan tutorialnya. buat saya pelajari lebih dalam. terima kasih.
sekalian minta contoh source code dan tutorialnya. buat saya pelajari lebih dalam. terima kasih.
Silahkan login untuk menjawab!
0
Loading...
mokegile
· Nov 26, 2012
· 0 Suka
· 0 Tidak Suka
gunanya buat nambahin backslash pd karakter \x00, \n, \r, \, ', " dan \x1a
contoh :
contoh :
buat database test
buat tabel admin: username varchar(20) dan password varchar(20)
trus insert username sama passwordnya (trserah agan)
misal :
coba isi username dan passwordnya sesuai yg di database (joke dan 123).
outputnya yg tampil :
select * from admin where username = 'joke' && password = '123'
username dan password benar
coba isi lagi dgn
username: test' or '1=1
password : test' or '1=1
outputnya yg tampil :
select * from admin where username = 'test' or '1=1' && password = 'test' or '1=1'
username dan password benar
bandingkan dgn cek.php yg ini
username: test' or '1=1
password : test' or '1=1
outputnya yg tampil :
select * from admin where username = 'test\' or \'1=1' && password = 'test\' or \'1=1'
username dan password salah
contoh :
<?php
mysql_connect("localhost","root","");
$kal = "dia sedang 'belajar'";
echo mysql_real_escape_string($kal); // dia sedang \'belajar\'
?>contoh :
buat database test
buat tabel admin: username varchar(20) dan password varchar(20)
trus insert username sama passwordnya (trserah agan)
misal :
+----------+----------+
| username | password |
+----------+----------+
| joke | 123 |
+----------+----------+
<form action="cek.php" method="post">
username:<input type="text" name="username"/><br/>
password:<input type="password" name="password"/><br/>
<input type="submit" value="login"/>
</form><?php
mysql_connect("localhost","root","");
mysql_select_db("test");
$username = $_POST['username'];
$password = $_POST['password'];
echo "<p>select * from admin where username = '$username' && password = '$password'</p>";
$query = mysql_query("select * from admin where username = '$username' && password = '$password'");
$row = mysql_fetch_array($query);
if($row) echo "username dan password benar";
else echo "username dan password salah";
?>coba isi username dan passwordnya sesuai yg di database (joke dan 123).
outputnya yg tampil :
select * from admin where username = 'joke' && password = '123'
username dan password benar
coba isi lagi dgn
username: test' or '1=1
password : test' or '1=1
outputnya yg tampil :
select * from admin where username = 'test' or '1=1' && password = 'test' or '1=1'
username dan password benar
bandingkan dgn cek.php yg ini
<?php
mysql_connect("localhost","root","");
mysql_select_db("test");
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
echo "<p>select * from admin where username = '$username' && password = '$password'</p>";
$query = mysql_query("select * from admin where username = '$username' && password = '$password'");
$row = mysql_fetch_array($query);
if($row) echo "username dan password benar";
else echo "username dan password salah";
?>username: test' or '1=1
password : test' or '1=1
outputnya yg tampil :
select * from admin where username = 'test\' or \'1=1' && password = 'test\' or \'1=1'
username dan password salah