When should you use the mysqli_real_escape_string () PHP function?

Question

When should you use the mysqli_real_escape_string () PHP function?

I know that a function mysqli_real_escape_stringcan be used to prevent SQL injection. (However, mysql_real_escape_string () will not protect you from some injection)

My question is when should the mysqli_real_escape_string () function be used?

Situation 01

I have a registration form with 4 fields called First Name, Last Name, Email, Password.

Should I use mysqli_real_escape_string () to insert a query? All four fields?

Or is it enough to use in the login form?

Situation 02

Do I have a profile page like profile.php? user_name = damith

I used $ _ GET ['user_name'] in many functions on this page.

Should I use mysqli_real_escape_string () in all of these functions?

+4

php sql-injection mysqli

Sasa1234 Mar 22 '16 at 3:25

source share

2 answers

real_escape_string , sql. .

Situation 01 Situation 02 . , yes.

+2

VolkerK 22 . '16 3:40

gabe. · Accepted Answer · 2016-03-22T03:42:32+0000

mysqli_real_escape_string()is no longer the best way to guarantee the safety of data stored in your database. Instead, you should use prepared instructions: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

: , , ( , -) , , . mysqli_real_escape_string() , . , , , , .

, mysqli_real_escape_string(), htmlspecialchars() (http://php.net/htmlspecialchars)

1 - , .

2 - -, mysqli_real_escape_string(), htmlspecialchars(), XSS .

:

<?php 
// Prepared statement.  Save the user first name to the database:
$stmt = $mysqli->prepare("INSERT INTO users(first_name) VALUES (?)");
$stmt->bind_param("s", $first_name);
$stmt->execute();

// Echo the user first name back to them
echo "Saved your first name: " . 
      htmlspecialchars($first_name) . " to the database.";

SQL . : SQL- PHP?

When should you use the mysqli_real_escape_string () PHP function?

More articles: