0

I'm working on my bachelor thesis about security of sql databases. I was using sqlmap to check vulnerable sql queries. Is there up to date sql injection that can bypass escaping string done with functions mysqli_real_escape_string or bypass prepared statement ?

I was using sqlmap to check it but it couldn't inject prepared or escaped queries

Marek Sabol
  • 1
  • Speaking of escaping *string*, there is none. However, in case one being foolish enough trying to escape any other query part, it would be a straight up SQL injection – Your Common Sense Feb 27 '23 at 11:16
  • It's important to note that using `mysqli_real_escape_string` and prepared statements are both effective measures to prevent SQL injection attacks. However, there is always a possibility of vulnerabilities depending on how the code is written and implemented. – iamafish Feb 27 '23 at 11:16
  • @kampit mysqli_real_escape_string BY NO MEANS even REMOTELY related to " measures to prevent SQL injection attacks". PLEASE do not spread that nasty rumor – Your Common Sense Feb 27 '23 at 11:18
  • 1
    It's not that `mysqli_real_escape_string` is inherently bad, but that it's just insufficient. People do not know or care to use it properly. It's really cumbersome and if the code is not written properly, you can still break the SQL. – Dharman Feb 27 '23 at 11:19
  • 1
    You can't inject prepared queries because by design they are invulnerable to SQL injection. However, a bad programmer can still make an SQL injection vulnerability even with prepared statements. SQL injection isn't about the technology but about bad coders. – Dharman Feb 27 '23 at 11:20
  • @YourCommonSense It's too general to say it's not at all safe. Next may concern sanitize, restrict access, privilege principle, WAF & more – iamafish Feb 27 '23 at 11:22
  • 1
    Your question has an analogy: "*I heard guns kill people. I sat in front of a loaded gun for 24h and it hasn't killed anyone. Are guns still responsible for human deaths?*" – Dharman Feb 27 '23 at 11:24
  • @YourCommonSense. However, there is always a possibility of vulnerabilities depending on how the code is written and implemented. – iamafish Feb 27 '23 at 11:28
  • 1
    @YourCommonSense Let's not hijack this question's comments to discuss terminology, please. – Dharman Feb 27 '23 at 11:28
  • It is not a "terminology" but a wild superstition that plagued poor PHP folks for decades. It's even relevant to the question, because it is not 100% clear whether the OP understands what this function's purpose is. But well, let's don't. – Your Common Sense Feb 27 '23 at 11:36

0 Answers0