Ready-made statements completely protected my site from MySQL injections?

Question

Ready-made statements completely protected my site from MySQL injections?

I use prepared statements and MySQLi with my queries for protection against injection. Ready-made statements completely eliminate the need for mysql_real_escape_string? Is there anything else I should consider when protecting my site?

+3

sql php mysqli prepared-statement code-injection

spacemud Sep 19 '10 at 16:22

source share

2 answers

MySQLi .

. -. , . , . , , .
, .

mysql_real_escape_string?

mysql_real_escape_string. -. , "". .
, , SQL. , , mysql_real_escape_string. ( SQL).

- , ?

.
- , SQL :
.
, , , , .. .

+1

Your Common Sense 19 . '10 17:04

Galen · Accepted Answer · 2010-09-19T16:41:40+0000

As long as you use the prepared instructions correctly, they will. You need to make sure that you bind all external variables and do not put them directly in the query.

for instance

$stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=" . $name);

, , . - SQL-.

, ...

$stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {
$stmt->bind_param("s", $city);

Ready-made statements completely protected my site from MySQL injections?

More articles: