Home/ Questions/Q 7699581
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T22:30:44+00:00

I am using a bit of borrowed code, and am concerned for its vulnerability

  • 0

I am using a bit of borrowed code, and am concerned for its vulnerability to SQL injection…

// Set the default namespace to utf8
$mysqli->query("SET NAMES 'utf8'");
$userID = $_POST['userID'];
$json   = array();
if($result = $mysqli->query("SELECT * FROM towns WHERE userID=".$userID)) {
while ($row=$result->fetch_assoc()) {
    $json[]=array(
        'townID'=>$row['townID'],
        'townName'=>$row['townName']
    );
}
}
$result->close(); 
header("Content-Type: text/json");
echo json_encode(array( 'towns'  =>   $json ));

Question 1: Does $mysqli->query("SET NAMES 'utf8'"); have any form of sql injection assistance?
Question 2: Should I be using some form of real_escape_string?

If I need to use real_escape_string, should I set the var like this:

$userID = $_POST['userID'];
$userID = $mysqli->real_escape_string($userID);

Then, I can use it just like I currently am in my query?

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Question 1: Does $mysqli->query(“SET NAMES ‘utf8′”); have any form of sql injection assistance?

    Worded this way – definitely NO.
    But see the note at the bottom.

    Question 2: Should I be using some form of real_escape_string?

    You are asking out of delusion that escaping has something to do with injections, while it is not. So, let’s rephrase your question:

    Question 2a: Should I be take some precautions against SQL injections?

    Yes.
    You have three choices.

    1. Since $userID being a number, you may cast it to that type explicitly, $userID = intval($_POST['userID'];)
    2. Mysql (when not in the STRICT MODE) let you send the number as a string. Strings has to be formatted according to these 2 simple rules, as it shown in the Rob’s answer:
      • it has to be delimited by single quotes
      • these quotes have to be escaped.
    3. You can use prepared statements. To use such a fashionable way of running sql queries you have to use prepare() + execute() methods instead of query() and bind your variable using bind_param().

    A note regarding the title question.

    is setting namespace to utf-8 any form of sql injection protection?

    Yes, in a way.
    In some, extremely rare circumstances, it is.
    For some rare encodings real_escape_string family function may fail proper delimiter escaping. To avoid that, one have to set up the client encoding using set_charset family function, mysqli->set_charset() in your case.

    • 0