Home/ Questions/Q 9149859
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T11:32:03+00:00

Is the code below better at preventing a SQL injection on a MySQL database

  • 0

Is the code below better at preventing a SQL injection on a MySQL database than mysqli_real_escape_string would be?

$str = "SELECT * FROM customers WHERE username = '; DELETE FROM customers WHERE 1 or username = '";
$str2 = "";

for($i = 0; $i < strlen($str); $i++)
{
    if (strpos ("abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ,.?!0123456789", $str[$i], 0) !== FALSE)
    {
        $str2 = $str2 . $str[$i];
    }
}

echo "$str2";
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There is absolutely no reason to use a whitelist/blacklist when trying to avoid SQL injection. All you need to do when using the mysqli_ functions without prepared statements is to process data with mysqli_real_escape_string().

    However, you’d be better off learning about prepared statements instead. They are cleaner and safer than escaping.

    The code to execute your example query with prepared statements would look like this:

    $stmt = $conn->prepare('SELECT * FROM customers WHERE username = ?');
$stmt->bind_param('s', $username);
$result = $stmt->execute();

    Since you don’t understand the example, here’s a detailed explanation:

    • Line 1 prepares the statement. You use ? whenever you want to use external data.
    • Line 2 binds a string (s) parameter for the first placeholder. So $username should contain the (untrusted) value
    • Line 3 executes the statement with the previously bound parameter. SQL and data is transferred separately so there is no SQL injection risk.
    • 0