Mko Posted August 1, 2012 Share Posted August 1, 2012 Hey all, I'm currently wondering if there's anything that could cause a security breach while running queries concerning usernames that contain special characters. The following special characters are in question: !@#$%^&*()_- If there is, would mysqli_real_escape_string() be the best method to prepare them for being used in queries? If so, is there any downside? Are there any alternatives, too? Thanks for all the help, `Mark Quote Link to comment https://forums.phpfreaks.com/topic/266572-question-concerning-special-chars-in-phpmysqli-queries/ Share on other sites More sharing options...
Drongo_III Posted August 1, 2012 Share Posted August 1, 2012 Escaping the data will make it safe. But if you want to be 100% use prepared statements - either PDO or mysqli. That should make your queries pretty sql-injection-proof by all accounts - as long you construct the query properly. Quote Link to comment https://forums.phpfreaks.com/topic/266572-question-concerning-special-chars-in-phpmysqli-queries/#findComment-1366147 Share on other sites More sharing options...
peipst9lker Posted August 2, 2012 Share Posted August 2, 2012 Any kind of escape or string character e.g ', ",\ needs to be filtered. I see no problem with the characters you delivered. Maximum protection would be prepared statements as Drongo_III already mentioned. Quote Link to comment https://forums.phpfreaks.com/topic/266572-question-concerning-special-chars-in-phpmysqli-queries/#findComment-1366234 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.