Home/ Questions/Q 8002835
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T16:29:18+00:00

Quick one. I’m in the process of migrating an old web application that uses

  • 0

Quick one.

I’m in the process of migrating an old web application that uses mysql to mysqli. I used to protect against SQL injection with a custom sanitation function I wrote:

    function sani($text=""){
    if (!is_array($text)) { 
        $text = str_replace("<", "&lt;", $text); 
        $text = str_replace(">", "&gt;", $text); 
        $text = str_replace("\"", "&quot;", $text); 
        $text = str_replace("'", "&#039;", $text); 
        return $text; 
    } 
}

They way I used to use this:

mysql_query("SELECT * FROM `table` WHERE `username` = '" . $sani($userinput) . "'");

Basically all it does is change symbols that can be used for injection into html encoding. It has worked fine up until now, but since i’m migrating to mysqli, I wanted to know if prepared statements would be more secure than this function.

Also, I have read a lot about the speed differences between prepared and unprepared statements, is it really that noticeable? I do around a hundred queries a second, so I doubt I would be affected very much?

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, prepared statements would certainly be more secure than this function, and they have the added benefit of not having to decode your data when you get it back from your database, too. By the way, even for the old mysql library, you really should rely on mysql_real_escape_string rather than your custom-built sanitation function 🙂

    Prepared statements can be much faster than unprepared statements, and in a typical usage situation, you’ll benefit from this even if you’re “just” doing 100 queries/second.

    • 0