So, I started to use MySQLi extension as I heard it will be the supported one in the future. I read about that instead of using mysql_real_escape_string() I must use prepare() for security reasons, for example when I use a $_GET or $_POST in my query.
Is it true? I see that prepare() is good for making SQL query templates where I can change parameters. So the script can be dynamic on SQL level too. Its really useful. But I can’t find real info about its security measures. Is it really escapes evil stuff and protects from injection? Or I have to deal with it on programming level?
For example this code is safe? As you can see it use a $_GET to fill the template so it can be really dangerous if MySQLi prepare isn’t work as I want it to be.
$stmt = $mysqli->prepare('SELECT description,title FROM menu WHERE name = ?');
$stmt->bind_param('s', $n);
$n = $_GET['b'];
$stmt->bind_result($meta_description,$meta_title);
$stmt->execute();
Prepared parameters are immune to injection because they get offered to the server after SQL was parsed, ie no way they can be interpreted as SQL fragments, which is the base of an SQL injection attack.
In your example whatever is in the
$_GET['b']variable will be used by the server to compare with thenamedatabase field but there is absolutely NO WAY the server could be tricked into interpreting that text as a boolean equation, an end of statement followed by say a delete, …So by design it doesn’t offer SQL injection an attack surface, and that’s why using prepared statements is so much superior to all kinds of escaping and input scrubbing schemes.