New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
http://stackoverflow.com/questions/6366428/is-mysql-real-escape-string-is-really-safe-to-use
http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string
http://www.webmasterworld.com/php/3976164.htm
http://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-inje
http://stackoverflow.com/questions/7692847/will-mysql-real-escape-string-prevent-hack
http://stackoverflow.com/questions/14135932/should-i-use-mysqli-real-escape-string-or-mysql-real-escape-string-for-form
http://stackoverflow.com/questions/6641184/mysql-real-escape-string
so many stuff to escape....
The function escapes any string so that you can put it into single quotes in a MySQL query. So if you use it correctly, then of course it protects against any injection for something that will go in single quotes. Of course there's other things, like if you have LIKE then you might want to escape % and such too.
http://php.net/manual/en/pdo.prepared-statements.php
Even if it was 100% safe, it's still deprecated and will be removed in the future, so might as well get a head start and start doing things the right way right now.
he said mysqli
The year is 2013, use PDO.
what change again? I just learn mysqli few month ago.
It really doesn't matter. String-concatenated queries are bad.
@dnwk Use prepared statements, without exception. Never ever ever use string concatenation to build queries.
If you can't figure out how to do this in the mysqli extension (I'm unsure how good the documentation on this is), try PDO.
Un-learn it and use PDO. The MySQLi extension is deprecated.
@exussum good catch -- didn't even notice!
I'm still with the others on using PDO instead though.
Huh? To my knowledge only mysql_* is deprecated.
This is false. mysql is, not mysqli.
And don't forget about secondary injection.
Oops, my bad -- I thought MySQLi was also.
In any event, I stand by my advice to use PDO.
My favorite article ever on the subject (from three years ago!):
http://webdevrefinery.com/forums/topic/1272-your-mysql-code-sucks/
I'm using PDO, as it is quite flexible when you want to change i.e from MySQL to SQLite or other PDO supported SQL systems
+1.
Also, if you use bind variables (either with mysqli or pdo or whatever) then you get the secondary benefit of lower CPU use. If you have a few queries you use a lot, only with different arguments (select blah from blah where _____) then you'll see this benefit. If you don't use bind vars, then the engine has to parse every statement anew. If you use bind vars, it only has to parse it once and it skips the parsing/plan generation phase.
PDO and prepared statements are eliminating a lot of easy mistakes like people above have been saying.
Invisithanks
That's a great takeaway!
Use PDO, and all of your troubles will magically be solved.
Seriously, PDO sounds great, but if it encourages people to code without thinking i can't see it as a good thing.
You still need to think if you use PDO. If a stupid person insists on doing stupid things, then they'll get into trouble just as easily with PDO as they would have with the mysql_ functions.
Saying PDO encourages people to code without thinking is somewhat like saying seat belts encourage people to drive without thinking. Both things CAN make you safer, but you still need to use them correctly before they will do so.
Yeah, what @Ree said.
I've seen code looking like this:
$prep = $db->prepare('SELECT * FROM fruit WHERE color = :color AND clue = '.$_POST['none']);
$prep->execute(array(':color' => 'red'));
PDO is great but you need to use it correctly. Not a difficult thing to do though (and that is the great part).
Ah...that was funny.