Is mysql_real_escape_string enough to Anti SQL Injection?

by

mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there’s some small unknown chance it is vulnerable (but this hasn’t manifested in the real world yet). A better alternative which completely rules out SQL injections on a conceptual level is prepared statements. Both methods entirely depend on your applying them correctly; i.e. neither will protect you if you simply mess it up anyway.

More Related Contents:

  1. How can I prevent SQL injection in PHP?
  2. SQL injection that gets around mysql_real_escape_string()
  3. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  4. Reference: What is a perfect code sample using the MySQL extension? [closed]
  5. SQL injections in ADOdb and general website security
  6. Is mysql_real_escape_string() broken?
  7. Why is using a mysql prepared statement more secure than using the common escape functions?
  8. Does mysql_real_escape_string() FULLY protect against SQL injection?
  9. how safe are PDO prepared statements
  10. Shortcomings of mysql_real_escape_string?
  11. Do I have to guard against SQL injection if I used a dropdown?
  12. MySQL Prepared Statements
  13. Do I have to use mysql_real_escape_string if I bind parameters?
  14. What is the PDO equivalent of function mysql_real_escape_string?
  15. PHP PDO and Mysql [closed]
  16. Parse error: syntax error, unexpected T_STRING in C:\wamp\www\b_php\project\login_save.php on line 14 [closed]
  17. Fatal error: Call to a member function bind_param() on boolean [duplicate]
  18. PDO MySQL: Use PDO::ATTR_EMULATE_PREPARES or not?
  19. strange character encoding of stored data , old script is showing them fine new one doesn’t
  20. How to loop through a mysql result set
  21. MySQL/PHP Error:[2002] Only one usage of each socket address (protocol/network address/port) is normally permitted
  22. PDOException “could not find driver” in php
  23. Error while using PDO prepared statements and LIMIT in query [duplicate]
  24. PDO prepared statement fetch() returning double results
  25. SQLSTATE[HY093]: Invalid parameter number: parameter was not defined
  26. how to download blob based file from MySQL database in PHP?
  27. Finding free blocks of time in mysql and php?
  28. How does “do something OR DIE()” work in PHP?
  29. adding 1 day to a DATETIME format value
  30. Query on a many-to-many relationship using Doctrine with Symfony2

Leave a Comment