Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
OK, I have one question before I start coding MySQL in my school project. Is mysql_real_escape_string is really safe to use? I’ve heard that it’s still not really safe to use..So are there any tweaks which makes SQL query secure? I’ve used mysql_real_escape_string before many times, but not I am building a website for my school, so first thing I’ve to check is security.
UPDATE: The answer below was to the best of my knowledge correct at the time of writing. The fact is mysql_real_escape_string is not safe and never really was. You should always use prepared statements instead.
As mysql_* has been removed completely as of PHP 7 the situation has become moot. I’ve left my original answer for historical purposes below.
mysql_real_escape_string is safe to use if used properly (ie, everywhere you’re inserting PHP variables into your queries), but as has been pointed out in the comments it’s not the only thing you need to worry about. For example, HTML markup could be inserted into your DB and used for Cross Site Scripting attacks.
You might also want to consider prepared statements as an alternative to mysql_real_escape_string, as they will automatically escape input for you so there’s no chance of accidentally forgetting to escape a parameter.