1
Mysqli (Mysql Extended) has greater security and I thought so far that I did not need to process the variable data before adding to the bank, but studying on that page found this code similar to the one I used in old Mysql. It is really necessary to use this code to process the data before inserting it into the database.
Code:
$variavel="'" . $conexao->real_escape_string('col1_value') . "'";
In case, I always use the Prepared Statements, then, only it solves or I have to add this too?
1
The preparedStatements are interpreted by the data bank and stored there while your connection is active. When read, the database already interprets the types of data that should go in each placeholder, so if you pass a parameter with the incorrect type (or a SQL valid, for example), the database will simply give error. For text fields, the database will even accept SQL, but it will be saved in the column of this field instead of actually running.
From a security point of view, one should not even trust what comes from the database, for situations like this of the user saving an SQL in a textual field. But this would be more in the situations of SELECT than in situations INSERT/UPDATE/DELETE.
Updating
I checked the site mentioned and noticed that the subject is using queries concatenated. It concatenates SQL with the variables coming from the user and therefore it uses the escape. In the examples it uses preparedStatements he can’t escape either.
Browser other questions tagged php mysqli
You are not signed in. Login or sign up in order to post.
I didn’t understand the doubt
– KhaosDoctor
Not missing an interrogation there in "It really is necessary..."?
– brasofilo