0

I am already using mysqli_real_escape_string for every user input. I did try to enter the following value inside a textarea which was later meant to be stored in the database.

Something'); DROP TABLE table_name;--

It did not delete table_name from the database and the value was stored exactly like Something'); DROP TABLE table_name;-- in one of the tables. No character was escaped. This made me doubt if mysqli_real_escape_string is actually working or not.

Is user input saved without escaping any characters even when we run the input through mysqli_real_escape_string?

If the input is indeed saved with with escaped characters, why was the query saved without any changes in my case? Am I doing something wrong?

Vineet Sharma
  • 221
  • 2
  • 11
  • 1
    Just use prepared statements and be home in time for corn flakes. The SQL injection problem was solved a long time ago, and you should not be spending your development energy on this problem. – Tim Biegeleisen Dec 19 '17 at 04:41
  • @TimBiegeleisen I am working on an old project originally created by someone else. In this particular instance, updating the whole code to use prepared statements would be very time consuming imho. :) – Vineet Sharma Dec 19 '17 at 04:46
  • 1
    Yes, there would be some initial overhead, but it is worth the investment IMO, and later down the road you would probably save time. – Tim Biegeleisen Dec 19 '17 at 04:48
  • @TimBiegeleisen you are probably right, updating the code now will save me time in future. :) – Vineet Sharma Dec 19 '17 at 04:50

0 Answers0