Quote:
Originally Posted by DavidBilla
why should strings be escaped
|
To filter out special characters that the SQL interpreter may read as part of the query rather than part of the string. You will either get an erroneous query or an unexpected result which may prove useful to a hacker. For example the character ' (single quote) is used to denote strings, but if it appears in a string itself it must be escape, for example:
PHP код:
... WHERE name='O'Hare';
Would produce an error
PHP код:
... WHERE name='O\'hare';
Would not produce an error.
This is the simple case, but it is also necessary to protect against people who could exploit this by supplying a weird input, like
PHP код:
zrtpqdfgh' OR 1=1; --
In which case the unescaped query would look like:
PHP код:
... WHERE name='zrtpqdfgh' OR 1=1; --';
That will likely yield the first account in the database which is nearly always the one of the administrator, leading to potentially dangerous situations.
Quote:
Originally Posted by DavidBilla
what are the cases where it should be used
|
Any time you expect user input. That includes dialogs, chat text and command text.
