Is it enough to use mysqli in PHP to prevent SQL injections?

Question

For example I use

$building_name = $_POST['BuildingName'];
$metering_type = $_POST['MeteringType'];
$query = "INSERT INTO buildings (BuildingName, MeteringType)
                       VALUES ('$building_name', '$metering_type')";
if(mysqli_query($link, $query))
{
    echo json_encode(Array("success"=>true));
}

And I believe that this prevents me from SQL injections. Am I safe?

score 6 · Accepted Answer · answered Feb 12 '13 at 16:59

6

No, that doesn't protect you in the slightest.

You need to use MySQLi's parameterized queries via prepare.

answered Feb 12 '13 at 16:59

ceejayoz

176,543
40
303
368

Is it enough to use mysqli in PHP to prevent SQL injections?

1 Answers1