so-sql-injections icon indicating copy to clipboard operation
so-sql-injections copied to clipboard

Published 20 hours ago verified publisher icon laurent22

mysqli_real_escape_string not safe ?

Open olypros opened this issue 7 years ago • 3 comments

i know mysql_real_escape_string is not safe

But the mysqli safe ? (improved version ).

Give me one example that will get around this ? $id = mysqli_real_escape_string($con,htmlentities(trim($id))); "SELECT * from table where id = '$id' "

olypros avatar Jan 19 '17 16:01 olypros

Hi :)

"But the mysqli safe ?" mysqli_real_escape_string can be circumvented, but only in very obscure situations (not likely to apply to you or most everyone else).

More info in this answer: http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string/12118602#12118602

so never set charset with a query like this one 'SET NAMES {charset}' Use mysqli_set_charset or mysqli_options($link, MYSQLI_SET_CHARSET_NAME, "{charset}");

mrivanova avatar Jan 20 '17 08:01 mrivanova

There's also the issue of long term maintenance. If you use concatenated queries, even if correctly escaped, future developers are more likely to make mistakes. There's a discussion about it there: https://github.com/laurent22/so-sql-injections/issues/3

laurent22 avatar Jan 20 '17 09:01 laurent22

yeah apart from maintenance . Technically there is no security flaws in between mysqli (not mysql) and prepared statements i think.

olypros avatar Jan 20 '17 10:01 olypros