9564

mysql real escape string solve sql injection definitely [duplicate]

Question:

This question already has an answer here:

<ul><li> <a href="/questions/60174/how-can-i-prevent-sql-injection-in-php" dir="ltr" rel="nofollow">How can I prevent SQL injection in PHP?</a> <span class="question-originals-answer-count"> 28 answers </span> </li> </ul>

I want to know if I add <strong>mysql_real_escape_string</strong> to my variables that's enough to solve sql injection

$get_id = "select * from `book` where id='".$mysqli->real_escape_string($id)."' limit 1";

Answer1:

No, it isn't. Use prepared statements.

You would have to do something like this:

// Your connection settings $connData = ["localhost", "user", "pass", "database"]; $conn = new mysqli($connData[0], $connData[1], $connData[2], $connData[3]); $conn->set_charset("utf8"); if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } // Here we explain MySQL which will be the query $stmt = $conn->prepare("select * from book where id=? limit 1"); // Here we tell PHP which variable hash de "?" value. Also you tell PHP that $id has an integer ("i") $stmt->bind_param("i", $id); // Here we bind the columns of the query to PHP variables $stmt->bind_result($column1, $column2, ...); // <--- Whichever columns you have // Here we execute the query and store the result $stmt->execute(); $stmt->store_result(); // Here we store the results of each row in our PHP variables ($column1, column2, ...) while($stmt->fetch()){ // Now we can do whatever we want (store in array, echo, etc) echo "

$column1 - $column2 - ...

"; } $stmt->close(); $conn->close();

Recommend

  • After refreshing the page product adding automatically in cart
  • ASP.Net - DropDownList used in EditItemTemplate in DetailsView
  • Unable to connect to snappydata store with spark-shell command
  • Inserting data into database not working
  • Build a batch query for MySQL insert each 1000 items
  • String cutting off during insert query [duplicate]
  • Merge two Lists of different types
  • How to use PHP7's $mysqli->real_escape_string with an array
  • Round bracket in string with JDBC prepared statement
  • Building a dynamic query in C# (SQL Injection Attack)
  • How to scroll to a particular div after reloading the page when the submit button is clicked?
  • Problems with inserting registering information into a Mysql database
  • Are mysqli_result::free and mysqli_stmt::free_result the same?
  • Repackaging the .jar file
  • “Yesod devel” fails with fromJust in devel.hs
  • Create a table from a list of tuples in Python 3
  • Insert Path of a file with \\\\ in mysql using java
  • Can't connect with PDO using ssl but mysqli with ssl works
  • SQL Server Nvarchar and Java prepared statement
  • How to repeat sections of a SQL query across UNIONs? (DRY in SQL)
  • I am receiving HibernateException “No Hibernate Session bound to thread, and configuration does not
  • How can Delete be both a DDL and a DML statement
  • what makes a request a new request in asp.net C#
  • pyodbc doesn't report sql server error
  • Check for zero lines output from command over SSH
  • nonblocking BIO_do_connect blocked when there is no internet connected
  • Alternative to overridePendingTransition() - Android
  • Eloquent update method change created_at timestamp
  • Visual Studio 2010 debugger build correctly - compiler pdb and linker pdb not in synch?
  • How to get Eclipse Oxygen to run on Java 9
  • Limiting recursion to certain level - Duplicate rows
  • Swift: Switch statement fallthrough behavior
  • MailKit: The IMAP server replied to the 'EXAMINE' command with a 'BAD' response
  • Using $this when not in object context
  • How to limit post in wp_query
  • Display Images one by one with next and previous functionality
  • Do I've to free mysql result after storing it?
  • Delete MySQLi record without showing the id in the URL
  • XCode can't find symbols for a specific iOS library/framework project
  • Hits per day in Google Big Query
  • costura.fody for a dll that references another dll
  • Observable and ngFor in Angular 2
  • How to Embed XSL into XML
  • UserPrincipal.Current returns apppool on IIS
  • Conditional In-Line CSS for IE and Others?