jbis2k Posted June 4, 2011 Share Posted June 4, 2011 Is the PHP function mysql_real_escape_string($string); [\code] sufficient to prevent all injection attempts? Do I need to consider other functions as well? Quote Link to comment https://forums.phpfreaks.com/topic/238368-sql-injection-protection/ Share on other sites More sharing options...
gizmola Posted June 4, 2011 Share Posted June 4, 2011 It depends on the code. mysql_real_escape_string is not designed to prevent injections although in some cases it does. It is designed to escape quotes. You need to consider the input type of each variable. For example, if you are accepting an integer value, then you should use: $i = (int)$_GET['i']; Alternatively, using PDO or mysqli with bind variables is an excellent one step solution for preventing SQL injections. Quote Link to comment https://forums.phpfreaks.com/topic/238368-sql-injection-protection/#findComment-1225011 Share on other sites More sharing options...
jbis2k Posted June 5, 2011 Author Share Posted June 5, 2011 Thanks much Quote Link to comment https://forums.phpfreaks.com/topic/238368-sql-injection-protection/#findComment-1225280 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.