SQLi - What is most safe?

Asked Aug 03 '20 at 20:23

Active Aug 03 '20 at 20:23

Viewed 24 times

What is the most safe approach?

This one:

$id = mysqli_real_escape_string($link, $_POST['id']);
echo $id;

Or this one:

$unsafe_id = $_GET['id'];
$safe_id = (int)$unsafe_id;
echo safe_id;

asked Aug 03 '20 at 20:23

Erik Auranaune

1

Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – B001ᛦ Aug 03 '20 at 20:25
Casting to integer is in general safe, however you should consider using prepared statements. They are the best. – biesior Aug 03 '20 at 20:25
@biesior So I should rather use the `int` one, and not `mysqli_real_escape_string`? – Erik Auranaune Aug 03 '20 at 20:27
2

For integers yes, however once again: you should use **prepared statements** then you don't need any of yours. – biesior Aug 03 '20 at 20:29
See here https://stackoverflow.com/questions/15786295/should-i-use-mysqli-real-escape-string-or-should-i-use-prepared-statements – biesior Aug 03 '20 at 20:31
@Kama start here and follow the examples and read the manual: https://www.php.net/manual/en/mysqli.prepare.php – IncredibleHat Aug 03 '20 at 20:58
You should research input Validation over Sanitation. – Newb 4 You BB Aug 03 '20 at 22:00
Here you go: https://phpdelusions.net/mysqli_examples/update – Your Common Sense Aug 04 '20 at 04:14

0 Answers0