-1

lately it has been very irritating for me because I almost have a fully functioning site about to be launched. This may not seem like a problem, however my web host is running an old version of PHP so I cannot use MySqli_* or PDO, so I am stuck with the deprecated version (MySql_). A user here on S.O has told me that it is IMPOSSIBLE to prevent sql injection attacks whilst running MySql_.

Question: Is it impossible to secure my website from sql injection whilst using MySql_*?

Eugene Stamp
  • 158
  • 1
  • 11

2 Answers2

1

it is possible to secure against sql injection attacks by well-escaping your variables, but the problem is ... JUST ONE TIME you do not escape a string .. you are vulnerable to sql injection, and that's the problem

if you are 100% sure that all inputs to database are well-escaped, then you are safe :)

Ehab Eldeeb
  • 722
  • 4
  • 12
1

Yes it's possible.

Escape and quote correctly and you're done with that. Escaping is not enough you should also quote. mysqli_ advantage over mysql_ is that it escapes. PDO advantage over mysqli is that it auto quote. If you do them yourself then you're ready to launch your site.

Mahdyfo
  • 1,155
  • 7
  • 18
  • You could easily mark question as Duplicate ! The related link has 100 times better answers ! – Pratik Joshi Jul 21 '15 at 17:46
  • @PratikCJoshi I can't mark it as duplicate according to my rep. however I think it's a more specific question, in that link they said use pdo use pdo while he can't use pdo. – Mahdyfo Jul 21 '15 at 17:50