Reputation: 491
Does mysql_escape_string() make sql injection impossible?
My question is not about needing help with code, but I am just wondering if mysql_escape_string() makes SQL-injection impossible.
I see a lot of people using this function for sql-security. If I use mysql_escape_string(), will I still need to use queries using parameters or not?
Also could you please tell me a good way to use this function or would mysql_escape_string($string) be enough?
If mysql_escape_string() isn't a good practice.. Could you please explain to me how to use parameters in a querystring so I can understand it. I know how to use parameters and stuff in VB.net but I'm lost when it comes to using parameters in php and mysql.
Thanks in advance :).
Upvotes: 0
Views: 230
Answers (3)
Reputation: 157989
if mysql_escape_string() makes SQL-injection impossible.
mysql_escape_string() actually irrelevant to SQL-injection
I see a lot of people using this function for sql-security.
Indeed a lot. They are all in danger.
If I use mysql_escape_string(), will I still need to use queries using parameters or not?
Quite contrary, if you use parameters, you will need no this function.
Also could you please tell me a good way to use this function
Yes, I could. You can use this function in your own implementation of parameterized queries. That's the only proper way of using this function. It is not required though, as you can use ready-made parameters offered by the driver
If mysql_escape_string() isn't a good practice.
Yes. But only under these conditions:
- newest version is used.
- it is used on its real purpose, not to protect from injections
- it is used to process parameters
Could you please explain to me how to use parameters in a querystring
I hope you'd like the explanation in the PDO tag wiki
Upvotes: 2
Reputation: 14479
I would suggest that you use parameterized queries with PDO. That's all you need, so don't worry about mysql_escape_string() (which is deprecated anyways).
Here is a tutorial on how to use PDO: http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html
In case I wasn't being clear enough, any variables passed into your query that originate from outside of your script (or anything that could ever potentially contain malicious code) should be set up parameters to your PDO statement, and these will be escaped for you.
Upvotes: 1
Reputation: 93805
Rather than ask "Will I still need to use parameters?", take the training wheels off and just use parametrized queries.
The experienced people of StackOverflow don't say "use parametrized queries" over and over and over and over just because we have nothing better to do.
For examples of how to use parametrized queries in PHP, see http://bobby-tables.com/php
Upvotes: 2
Related Questions
- Is "mysqli_real_escape_string" enough to avoid SQL injection or other SQL attacks?
- Why mysql_real_escape_string() shouldn't avoid any SQL Injection?
- Is mysql_real_escape_string enough to Anti SQL Injection?
- Can mysql_real_escape_string ALONE prevent all kinds of sql injection ?
- Does mysql_real_escape_string() FULLY protect against SQL injection?
- SQL Injection with an Escaped String?
- Shortcomings of mysql_real_escape_string?
- Bypassing mysql_real_escape_string's protection
- Is SQL Injection possible with mysql_real_escape_string when variables in the query have no quotes around them?
- Am I using mysql_real_escape_string right?