Zend Preparation | PHP Quiz (Learning Mode)

Security Learning Mode

Qusetions Index 19/185

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185

You run the following PHP script:

<?php 
$name = mysqli_real_escape_string($_POST["name"]); 
$password = mysqli_real_escape_string($_POST["password"]); 
?>

What is the use of the mysqli_real_escape_string () function in the above script. Each correct answer represents a complete solution. Choose all that apply.

It can be used as a countermeasure against a SQL injection attack.

It escapes all special characters from strings $_POST["name"] and $_POST["password"].

It escapes all special characters from strings $_POST["name"] and $_POST["password"] except ' and ".

It can be used to mitigate a cross-site scripting attack.

Explanation: Answer options B and A are correct.

mysql_real_escape_string() function was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0

The mysqli_real_escape_string() function is used to escape special characters in a string for use in a SQL statement. It therefore makes the data safe before sending the query to MYSQL. For example, a user runs the following PHP script:

<?php
 $name = mysqli_real_escape_string($_POST["name"]);
 $password = mysqli_real_escape_string($_POST["password"]);
 ?>

where the mysqli_real_escape_string() function escapes all special characters such as \x00, \n, \n, \, ', ", and \x1a from strings $_POST["name"] and $_POST["password"]. Hence, the danger of the SQL injection attack is mitigated.

Answer option D is incorrect. It does not help prevent cross-site scripting attacks that deal with special HTTP and PHP tags.

Answer option C is incorrect. The mysqli_real_escape_string() function will escape all special characters such as \x00, \n, \n, \, ', ", and \x1a from strings $_POST["name"] and $_POST["password"].