jbis2k Posted June 4, 2011 Share Posted June 4, 2011 Is the PHP function mysql_real_escape_string($string); [\code] sufficient to prevent all injection attempts? Do I need to consider other functions as well? Link to comment https://forums.phpfreaks.com/topic/238368-sql-injection-protection/ Share on other sites More sharing options...
gizmola Posted June 4, 2011 Share Posted June 4, 2011 It depends on the code. mysql_real_escape_string is not designed to prevent injections although in some cases it does. It is designed to escape quotes. You need to consider the input type of each variable. For example, if you are accepting an integer value, then you should use: $i = (int)$_GET['i']; Alternatively, using PDO or mysqli with bind variables is an excellent one step solution for preventing SQL injections. Link to comment https://forums.phpfreaks.com/topic/238368-sql-injection-protection/#findComment-1225011 Share on other sites More sharing options...
jbis2k Posted June 5, 2011 Author Share Posted June 5, 2011 Thanks much Link to comment https://forums.phpfreaks.com/topic/238368-sql-injection-protection/#findComment-1225280 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.