1
$_GET['id'] = mysqli_real_escape_string($d,$_GET['id']);

instead of

$id = mysqli_real_escape_string($d,$_GET['id']);

Is this safe, or is there a chance, that the mysqli_real_escape_string() doesn't work, which makes the $_GET['id'] still dangerous (SQL-injection)?

Qirel
  • 25,449
  • 7
  • 45
  • 62
  • what you want to achieve? – Ahmed Ginani Sep 21 '17 at 12:26
  • 4
    Don't escape at all. Parameterize. – chris85 Sep 21 '17 at 12:27
  • 2
    Don't assign values to `$_GET`. It represents data coming in from outside the system. Manipulating it and assigning it back leads to confusing code. – Quentin Sep 21 '17 at 12:27
  • What do you mean by Parameterize? –  Sep 21 '17 at 12:31
  • Use a prepared statement, and bind the variables through a placeholder. `$stmt = $d->prepare("..");` and bind through `$stmt->bind_param(...);` – Qirel Sep 21 '17 at 12:35
  • @LuisM. Don't put variables in your query. Use placeholders and allow the driver to quote/escape the data. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php For example if a future developer accidentally commented out this line `$_GET['id'] = mysqli_real_escape_string($d,$_GET['id']);` your query would be injectable. – chris85 Sep 21 '17 at 12:45

2 Answers2

1

Escaping depends on the context the data is going to be used in. MySQL real-escaping does nothing against HTML injection, or incorrectly formatted CSV values, or any other text format where characters needs to be escaped. Read The Great Escapism (Or: What You Need To Know To Work With Text Within Text).

When you replace the $_GET data, that means all your following code now has to deal with specifically SQL-escaped data. What if you have any code that doesn't deal with SQL? That's why it's terrible practice.

It's even worse since you should simply use parameterised queries instead of manual escaping. See How can I prevent SQL injection in PHP?

deceze
  • 510,633
  • 85
  • 743
  • 889
0

Both methods are equal safe. As the $_GET/$_POST/$_REQUEST parameters are set before your PHP even reaches your file for execution.

So, there should be nothing that will interact with your $_GET array as seen from code base.

S.Gartmeier
  • 476
  • 5
  • 14