Zend PHP 5.3 Certification Exam - ZCE - You run the following PHP script:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

Question 21/35
You run the following PHP script:
```
<?php 
$name = mysql_real_escape_string($_POST["name"]); 
$password = mysql_real_escape_string($_POST["password"]); 
?>
```
What is the use of the mysql_real_escape_string() function in the above script. Each correct answer represents a complete solution. Choose all that apply.
It can be used as a countermeasure against a SQL injection attack.

It escapes all special characters from strings $_POST["name"] and $_POST["password"].

It escapes all special characters from strings $_POST["name"] and $_POST["password"] except ' and ".

It can be used to mitigate a cross-site scripting attack.
Explanation: Answer options B and A are correct.

The mysql_real_escape_string() function is used to escape special characters in a string for use in a SQL statement. It therefore makes the data safe before sending the query to MYSQL. For example, a user runs the following PHP script:

<?php
$name = mysql_real_escape_string($_POST["name"]);
$password = mysql_real_escape_string($_POST["password"]);
?>

where the mysql_real_escape_string() function escapes all special characters such as \x00, \n, \n, \, ', ", and \x1a from strings $_POST["name"] and $_POST["password"]. Hence, the danger of the SQL injection attack is mitigated.

Answer option D is incorrect. It does not help prevent cross-site scripting attacks that deal with special HTTP and PHP tags.

Answer option C is incorrect. The mysql_real_escape_string() function will escape all special characters such as \x00, \n, \n, \, ', ", and \x1a from strings $_POST["name"] and $_POST["password"].
Back

Next