-3

Possible Duplicate:
Best way to prevent SQL injection in PHP?

I'm still using mysql_ ext in an old project, so mysql_real_escape_string() is enough to prevent sql injection ? Or I have to use expressions ?

Community
  • 1
  • 1
Fady
  • 201
  • 3
  • 8
  • 16
  • I said I'm still using `mysql_` ext !!! – Fady Oct 29 '12 at 18:44
  • Has been answered. Search for "Is mysql_real_escape_string enough" and similar. No need to ask the same question over and over again. Also you've tagged your question PDO. – hakre Oct 29 '12 at 18:57

1 Answers1

2

This depends on what you're trying to reference. You wouldn't typically use mysql_real_escape_string if the value was an int or double. However, if it's a string (and you pay attention when you insert data that could have been manipulated by someone other than you) you should be safe.

PDO isn't the end-all to injection, but it does make things a lot simpler. But, mysql_* has been used successfully for years and doesn't make a site any less secure (just depends on who wrote the site).

Brad Christie
  • 100,477
  • 16
  • 156
  • 200
  • so `mysql_real_escape_string` works good for strings ? and I don't have to use `expressions` ? – Fady Oct 29 '12 at 18:47
  • It's an either/or kind of things. Either use `mysql_*` or use PDO and expressions. You wouldn't have a hybrid of both. – Brad Christie Oct 29 '12 at 18:51