use of mysqli_prepare prevents major sql Injection attacks

Asked

Viewed 147 times

0

I know that mysqli_prepare shutdown is used to prepare SQL queries and protect them against SQL Injection.

I found two pages about SQL Injection:

  1. https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  2. https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

I’m starting to study on the subject, and I was wondering if the function mysqli_prepare can prevent these cases, or if I would need "something else" in my PHP script besides mysqli_prepare.

My question is:

Using mysqli_prepare prevents ALL SQL Injection attacks, or is restricted to the main types of SQL Injection attacks ?

php mysql sql-injection

  • Possible duplicity http://answall.com/questions/3864/como-prevenir-inje%C3%A7%C3%A3o-de-c%C3%B3digo-sql-no-meu-c%C3%B3digo-php? Rq=1

2 answers

-1

mysql_prepare avoids Sqlinjection, since you use parameters in the query. If you use mysql_prepare to concatenate the values of the fields with the query, it will not do any good, however, the mysql_* functions are considered obsolete. I would indicate you to use PDO, it is very good to work with database, and if one day you need to exchange your database, it will be much simpler with PDO.

  • 2

    The question is mysqli_and notmysql_. In the case PDO would be lower than the asked (mysql_without "i" is problem. PDO is better thanmysql_, but mysql i _ is much better than PDO to use with Mysql pq was made for this, especially in the security part, which is not only simulated concatenated equal PDO). The part of using parameter is fine. Just need to fix the stuck recommendation.

-2

The purpose of Prepared statements is to not include data in your SQL statements. Including them in your SQL statements is NOT safe. Always use Prepared statements. They are Cleaner to use (code easier to read) and not prone to SQL injections.

Escaping strings to include in SQL statements doesn’t work very well in some locales Hence it is not safe.

Translation:

The purpose of prepared statements is not to include data in SQL statements

"Escaping strings" to include in SQL statements do not work in some cases, so it is not safe

Taken from php.net

  • 1

    Despite its good point of helping, the language of the site is Portuguese, and it is expected that both questions and answers are also, even if they are quotes. So, in order not to disqualify your answer with negatives, you could translate this quote.

Browser other questions tagged php mysql sql-injection

You are not signed in. Login or sign up in order to post.