Reputation: 111
mysql_real_escape_string before mysql_real_query
I'm storing the hash signature of my users certificates in MySQL to do an post handshake verification. X509_digest() generates a 20 byte (SHA1) hash that may contain null byte and I'm comparing it to the database hash that is stored in a BINARY(20) column. My question is: if the mysql_real_escape_string() deal with the null byte and other MySQL special characters, why should I use the mysql_real_query() instead of mysql_query() as shown in every examples? Remember that I'm escaping the hash before include it into the query string, so there is no null byte, special character or misleading backslash that generates an wrong strlen() output.
Thanks.
Upvotes: 0
Views: 339
Answers (1)
Reputation: 5668
The mysql_query and mysql_real_query documentation indicates that the difference between the two is that mysql_real_query takes a string and a length; and mysql_query takes only a string (and thus requires performing a strlen to get the length).
This is even more clear in the actual source code:
// From libmysql/libmysql.c
int STDCALL
mysql_query(MYSQL *mysql, const char *query)
{
return mysql_real_query(mysql,query, (ulong) strlen(query));
}
mysql_query is literally a thin wrapper around mysql_real_query, and if you can call mysql_real_query directly, you should.
Upvotes: 1
Related Questions
- What REALLY happens when you don't free after malloc before program termination?
- Storing MD5 in MySQL
- SQL injection that gets around mysql_real_escape_string()
- Storing a binary SHA1 hash into a mySQL BINARY(20) column
- SHA1 sum as a primary key?
- Can hash output be dangerous for SQL Queries?
- multiple mysql_real_query() in while loop