All geek questions in one place

MySQLi Quick Security Question

Possible duplicate:
Do I need to use mysql_real_escape_string if I bind parameters?

I have a quick MySQLi security question ...

For example, look at this code (receives input from the user, checks it against the database to see if a combination of username and password exists):

$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);

// query db
if ($stmt = $mysqli->prepare("SELECT * FROM members WHERE username=? AND password = ?"))
{
    $stmt->bind_param("ss", $input['user'], md5($input['pass'] . $config['salt']));
    $stmt->execute();
    $stmt->store_result();

    // check if there is a match in the database for the user/password combination
    if ($stmt->num_rows > 0)
    {}
}

In this case, I use htmlentities () for the form data and using the prepared MySQLi statement. Should I still use mysql_real_escape_string ()?

+3
source share
2 answers

, , html, , escape-. UTF-8.

, , mysqli, .

BTW MySQLi escape-., .

+1

, mysql_real_escape_string, . , , . mysql_real_escape_string , SQL .

+2

Source: https://habr.com/ru/post/1746774/

More articles:


All Articles