nerdexam
GIAC

GPEN · Question #74

GPEN Question #74: Real Exam Question with Answer & Explanation

The correct answer is A. It escapes all special characters from strings $_POST["name"] and $_POST["password"]. D. It can be used as a countermeasure against a SQL injection attack.. mysql_real_escape_string() escapes special characters in user input to sanitize SQL queries and prevent SQL injection attacks.

Question

You run the following PHP script: <?php $name = mysql_real_escape_string($_POST["name"]); $password = mysql_real_escape_string($_POST["password"]);?> What is the use of the mysql_real_escape_string() function in the above script. Each correct answer represents a complete solution. Choose all that apply

Options

  • AIt escapes all special characters from strings $_POST["name"] and $_POST["password"].
  • BIt escapes all special characters from strings $_POST["name"] and $_POST["password"]
  • CIt can be used to mitigate a cross site scripting attack.
  • DIt can be used as a countermeasure against a SQL injection attack.

Explanation

mysql_real_escape_string() escapes special characters in user input to sanitize SQL queries and prevent SQL injection attacks.

Common mistakes.

  • B. This choice is functionally identical to choice A - differing only in a missing trailing period - and is therefore a redundant distractor; only one of the two duplicate statements is accepted as the correct answer.
  • C. mysql_real_escape_string() only escapes characters for SQL context and does not encode HTML entities or JavaScript constructs, so it provides no protection against cross-site scripting (XSS) attacks.

Concept tested. PHP SQL injection prevention with input sanitization

Reference. https://www.php.net/manual/en/function.mysql-real-escape-string.php

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GPEN Practice