Home/ Questions/Q 4062228
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T15:34:21+00:00

Some people believe that mysql_real_escape_string() has some flaws and cannot protect your query even

  • 0

Some people believe that mysql_real_escape_string() has some flaws and cannot protect your query even when properly used.
Bringing some fossilized articles as a proof.

So, the question is: is mysql[i]_real escape_string() totally unacceptable?
Or is it’s still possible to use this function to create your own kind of prepared statements?

With proofcode, please.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    From the MySQL’s C API function mysql_real_escape_string description:

    If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.

    So don’t use SET NAMES/SET CHARACTER SET but PHP’s mysql_set_charset to change the encoding as that is the counterpart to MySQL’s mysql_set_character_set (see source code of /ext/mysql/php_mysql.c).

    • 0