 |
| Register | Login | |||||
 |
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
|
| Register | Login | |||||
|
Main
| Memberlist
| Active users
| ACS
| Commons
| Calendar
| Online users Ranks | FAQ | Color Chart | Photo album | IRC Chat |
|
| | ||
| 0 user currently in Programming. | 3 guests |
| Acmlm's Board - I2 Archive - Programming - What does the ` character do in PHP? |
 |  |  |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| User | Post | ||
Banedon Giant Red Paratroopa Level: 55 Posts: 981/1408 EXP: 1291380 For next: 22809 Since: 03-15-04 From: Michigan Since last post: 101 days Last activity: 90 days |
| ||
| I have seen some examples of MYSQL queries in PHP code, where parts of the queries are enclosed in ` characters (the back quote, not the normal single quote ' or double quote "). What does this mean, and when, if ever, is it necessary? I am in the very early stages of writing a major PHP/MYSQL-based application, and I have never needed the `, nor seen an explanation of its use. All I know is that someone told me it's insecure... P.S. I am no longer a total PHP noob, I've figured out a lot of how the language works and whatnot, and have even completed a few PHP programs. |
|||
Parasyte Bullet Bill Level: 35  Posts: 324/514 EXP: 267348 For next: 12588 Since: 05-25-04 Since last post: 104 days Last activity: 32 days |
| ||
| The back-quote character seems to be just another way to specify strings to the database. If they hold any specific, special purpose, I do not know. The reason they are insecure with PHP is because php will not escape back-quote characters (magic_quotes nor addslashes()) allowing potential vulnerabilities. For example, someone may enter the following as their username on a forum: ` OR powerlevel=4 # Which could be damaging; the back-quote character would close a string using back-quotes, the following statement would cause the query to return the first row matching the powerlevel (granting admin access, for example) and the trailing hash mark (#) would comment the rest of the query, removing whatever security the following statements may have added (like checking the password). This would all be possible simply because PHP does not escape the back-quote character with a backslash. |
|||
|
Vystrix Nexoth Level: 30 Posts: 278/348 EXP: 158678 For next: 7191 Since: 03-15-04 From: somewhere between anima and animus Since last post: 3 days Last activity: 2 days |
| ||
To answer the question in the thread title: `foo` equals shell_exec ("foo");In MySQL, the ` character allows you to use a MySQL reserved word as a database/table/field identifier, e.g. if you want a table that is named "select", you must enclose that name in backticks, lest MySQL interpret it as the "SELECT" command and fail with a parse error: SELECT foo FROM `select` WHERE this=that;It seems many PHP+MySQL programmers have gotten in the habit of escaping every database/table/field name in this manner. I myself have never needed or used it. Regarding SQL injection, use PHP's mysql_escape_string() function on anything and everything that is taken from the user and put in a query. |
| Add to favorites | "RSS" Feed | Next newer thread | Next older thread |
| Acmlm's Board - I2 Archive - Programming - What does the ` character do in PHP? |
| | |
