Note. I reviewed this question: Prevent SQL injection without prepared statements (JDBC) . And, as I expected ... the answer is to use prepared statements. I have different circumstances ... so I would like to know the best way for this.
I use a downloaded script (phpsimplechat) where the author wrote his own simple SQL level (note: it supports PostgreSQL and MySQL). Unfortunately, I tested some tests on it and is vulnerable to SQL Injection. The script does everything I want, just in terms of functions, so I would like to save it.
Fortunately, this is open source ... but I would prefer not to rewrite all SQL queries to use prepared statements in phpsimplechat. The third-party library uses its own SQL level instead of PDO ... and under it the older mysql module is used (so I can’t use prepared statements. Even if I changed mysql -> mysqli, I have to deal with the "dbQuery" layer that it put on top of all my code). I do not need PostgreSQL code, so the answers may be specific to MySQL.
I read that addlashes is not enough to protect against all SQL injection attempts. Is it safe to use mysql_real_escape_string?
source
share