Is mysqli_real_escape_string safe?

by

Is this correct?

Yes. This isolated handpicked example is safe. It doesn’t mean, though, that mysqli_real_escape_string should be viewed as a function that’s purpose is to prevent SQL injections. Because in this example it protects you only by accident.

Is this a good example of how to use mysqli_real_escape_string?

Not at all

This function should be abandoned in favor of using parameters in the query. This function will fail you with any query part other than a string literal. And can be even simply overlooked.

A placeholder, also called a parameter, have to be used instead, to represent the data in your query:

$sql="SELECT * FROM usuarios WHERE username=?";
$stmt= $conn->prepare($sql);
$stmt->bind_param("s", $_POST['usuario']);
$stmt->execute();
$rs = $stmt->get_result();

See other examples in my article on the correct use of mysqli

If ever used, this function MUST be encapsulated into another function that does both escaping AND adding quotes, just like PDO::quote() does. Only this way it will be safe.

More Related Contents:

  1. Do I have to guard against SQL injection if I used a dropdown?
  2. Object of class mysqli_result could not be converted to string
  3. When should I use prepared statements?
  4. SELECT COUNT(*) AS count – How to use this count
  5. Mysqli update throwing Call to a member function bind_param() error [duplicate]
  6. Should I manually check for errors when calling “mysqli_stmt_prepare”?
  7. mysqli_real_escape_string() expects exactly 2 parameters, 1 given
  8. Why is using a mysql prepared statement more secure than using the common escape functions?
  9. Shortcomings of mysql_real_escape_string?
  10. INSERT – Number of bind variables doesn’t match number of fields in prepared statement
  11. Call to a member function execute() on boolean in [duplicate]
  12. SSL operation failed with code 1: dh key too small
  13. Can’t pass mysqli connection in session in php
  14. PHP Fatal error: Call to undefined function mysqli_stmt_get_result()
  15. how to bind multiple parameters to MySQLi query [closed]
  16. mysqli ignoring the first row in a table
  17. Returning Multiple Rows with MySqli and Arrays
  18. mySQLi prepared statement unable to get_result()
  19. mysqli_select_db() expects parameter 1 to be mysqli, string given
  20. What does the mysqli_error() expects parameter 1 to be mysqli, null given mean?
  21. Mysqli prepared statement column with variable [duplicate]
  22. Mysqli prepared statements build INSERT query dynamically from array
  23. Using wildcards in prepared statement
  24. mysqli_connect(): (HY000/2002): No connection could be made because the target machine actively refused it
  25. How to remove the fatal error when fetching an assoc array
  26. PHP MySQLi Multiple Inserts
  27. Fatal error: Call to a member function prepare() on a non-object in
  28. Using Prepared Statement, how I return the id of the inserted row?
  29. Is there any way to print the actual query that mysqli->execute() makes?
  30. When should I close a database connection in PHP?

Leave a Comment