0

I have a CRM-type website where the user inputs the unique ID in a text box on the main page then hits ENTER and the page then calls a PHP file wherein the $POST["UniqueID"] is converted to mysqli_real_escape_string() first before attaching it to the query. The query searches for the record based on that Unique ID then displays the information.

My question here is, do I still need to worry about my query and use prepared statements to protect the query or will just using mysqli_real_escape_string() on the only user-input value keep my query safe?

jay
  • 337
  • 2
  • 9
  • 18
  • 1
    no. manual escaping is not a 100% fix for injection attacks. not all injection attacks involve stray `'` and whatnot. – Marc B Jun 10 '16 at 15:25
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use manual escaping and string interpolation or concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/) if you ever forget to properly escape something. – tadman Jun 10 '16 at 16:06
  • @tadman You mean I shouldn't be using `mysqli_real_escape_string()`? – jay Jun 11 '16 at 06:05
  • @jay That's unreliable: A single mistake where an unescaped value is used can lead to a catastrophic failure. With `bind_param` a mistake causes the query to error out, it's considerably safer. The default is "do nothing" not "give everyone access to my database". – tadman Jun 11 '16 at 20:26

0 Answers0