Can we avoid Sqlinjection with mysqli_real_scape_string only?

Question

Can we avoid Sqlinjection with mysqli_real_scape_string only?

Asked 9 years ago

Viewed 31 times

1

Example:

$conexao = mysqli_connect("localhost", "user", "password", "my_db");

$pegaNome = $_POST['nome'];


function insere($conexao, $pegaNome) {
     $nome = mysqli_real_scape_string($conexao, $nome);
     $query = "INSERT INTO my_db (nome) VALUES ('{$nome}')";
     $result = mysqli_query($conexao, $query);
     return $result
}

Just with this function I already prevent any attempt of the end user to do Sqlinjection? What are the best ways to avoid?

Grateful!

Escaping characters does not solve the sql Injection problem, Prepared statements decrease the risk. See that answer

– rray

2015/11/30 at 23:04

No answers

Browser other questions tagged php mysql mysqli security-guard

You are not signed in. Login or sign up in order to post.