-1

What is the best way to prevent SQL-injection in PHP 8?

the only way that I know is Prepared statement.

https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

I want to know is there any other way to prevent SQL-injection in PHP-8?

I see these methods are for PHP 5 and PHP 7 to prevent SQL injection. but what should we do in PHP 8?

mysqli::real_escape_string
mysqli::escape_string
mysqli_real_escape_string
(PHP 5, PHP 7)

https://www.php.net/manual/en/mysqli.real-escape-string.php

it's not still deprecated but we should use it very carefully.

Is there any other way in PHP-8?

Raskul
  • 1,674
  • 10
  • 26
  • 2
    Prepared statements are not particular to PHP at all, let alone a given version. They are a best practice across virtually all database systems, and will likely never stop being best practice. – Sammitch Feb 23 '21 at 02:14
  • 1
    You can get your answers from the links you posted in your question. First, try to find *any* mention of SQL injection on the second page (obviously, in the *official* part, as user comments are not the part of the documentation). Then turn to the first one which has a direct answer to your question. – Your Common Sense Mar 02 '21 at 13:46
  • Why do you need **any** other way? Is there something you want to achieve, but cannot thorugh using prepared statements? – Nico Haase Mar 03 '21 at 07:57

1 Answers1

2

escape_string functions doesn't fully protect against SQL injection. An SQL injection may not even need special characters. Here is a simple example:

$id = mysql_real_escape_string("1 OR 1=1");    
$sql = "SELECT * FROM table WHERE id = $id";

Prepared Statements is the proper way to protect against SQL Injection, regardless of your PHP version.

Enrico Dias
  • 1,417
  • 9
  • 21
  • 1
    Whats preventing the injection in that case is the quotes inside the query in combination with the escape function. That may not work in all cases. Maybe one input of some weird encoding may be converted to a single quote in the database and result in an injection. You can't be 100% sure that your query is safe that way. Prepared Statements compiles the query without the values, making sure that the values will not be interpreted. – Enrico Dias Feb 23 '21 at 01:43
  • 1
    @SamRaskul this is called "a coincidence". – Your Common Sense Feb 23 '21 at 10:56
  • @YourCommonSense Would you be nice enough to explain more? – Raskul Feb 24 '21 at 05:08
  • https://phpdelusions.net/sql_injection – Your Common Sense Feb 24 '21 at 05:11
  • Please add **all** explanation to your answer by editing it - don't use the comment section for important stuff – Nico Haase Mar 03 '21 at 07:57
  • @NicoHaase but I did, the answer has all the important information. He commented with another example and I replied it. Since his comment is no longer visible, he probably deleted it. – Enrico Dias Mar 03 '21 at 12:10