Geek Answers Handbook

How can mysqli_real_escape_string prevent SQL injection?

First of all, I understand that people want to use stored procedures so that they reuse queries and avoid leaving. However, I read that many developers say that mysqli_real_escape_string cannot 100% prevent SQL injection. Can anyone provide an example of this?

From my limited knowledge on this subject, I would say that mysqli_real_escape_string will always be good for strings, but for numerical values ​​you can be caught if you do not check the number, it is int, float, double, etc.

EDIT: I forgot to add something critical: suppose the encoding UTF8 and mysqli_set_charset were called accordingly. The only injection I've seen relies on several encodings (none of which is UTF8).

+7
source share
1 answer

As long as you use mysqli_set_charset() to set the client encoding, and mysqli_real_escape_string() used to format only strings , this is absolutely safe.

However, if your question implies using this function directly in the application code, and not behind the scenes of processing the request based on the placeholder, or at least in the form of the PDO quote() -like function (which performs escaping and ), this is a direct injection method.

Not the problem itself is a problem, but how it is used:

  • since this is only part of the necessary formatting, you can easily forget the other part and slip into trouble
  • or even it can be easily used to format not a string, but another literal that would not be profitable from escaping at all.
  • secondly, when it is used directly in the application code, the use becomes inconsistent or random, since there is no way to force the developer to format each literal properly and without fail. This can again lead to inaccuracies and injections.

To do this, you should always use the placeholder to represent the data in the query (while mysqli_real_escape_string can be used to process this placeholder)

+6
source

More articles:


All Articles