I want to know if I add mysql_real_escape_string to my variables that's enough to solve sql injection
$get_id = "select * from `book` where id='".$mysqli->real_escape_string($id)."' limit 1";
Asked
Active
Viewed 409 times
0
Mourad karoudi
- 89
- 1
- 11
-
3Your code is vulnerable to [SQL-Injections](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Please start using Prepared, Parameterized Queries. – Charlotte Dunois May 13 '16 at 20:17
-
[Escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 13 '16 at 20:22
1 Answers
1
No, it isn't. Use prepared statements.
You would have to do something like this:
// Your connection settings
$connData = ["localhost", "user", "pass", "database"];
$conn = new mysqli($connData[0], $connData[1], $connData[2], $connData[3]);
$conn->set_charset("utf8");
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
// Here we explain MySQL which will be the query
$stmt = $conn->prepare("select * from book where id=? limit 1");
// Here we tell PHP which variable hash de "?" value. Also you tell PHP that $id has an integer ("i")
$stmt->bind_param("i", $id);
// Here we bind the columns of the query to PHP variables
$stmt->bind_result($column1, $column2, ...); // <--- Whichever columns you have
// Here we execute the query and store the result
$stmt->execute();
$stmt->store_result();
// Here we store the results of each row in our PHP variables ($column1, column2, ...)
while($stmt->fetch()){
// Now we can do whatever we want (store in array, echo, etc)
echo "<p>$column1 - $column2 - ...</p>";
}
$stmt->close();
$conn->close();
nanocv
- 2,227
- 2
- 14
- 27