Is mysqli_real_escape_string safe?

php sql-injection mysqli

Solution 1:

Is this correct?

Yes.

Is this a good example of how to use mysqli_real_escape_string?

NO

If ever used, this function have to be encapsulated into some inner processing, and never have to be called right from the application code. A placeholder have to be used instead, to represent data in your query:

$sql='SELECT * FROM usuarios WHERE username=? AND pass=?';

And then, upon processing placeholder marks, this function may be applied (if applicable) but not by itself but along ALL the formatting rules.

Solution 2:

Yes you will use it save now.

The nice thing about using mysqli is that it is Object oriented. So you can use it like this:

<?php

$mysqli = new mysqli("host", "user", "password", "database");

$usuario = $mysqli->real_escape_string($_POST["usuario"]);
$clave = $mysqli->real_escape_string($_POST["clave"]);

$sql='  SELECT * FROM usuarios 
        WHERE username="'.$usuario.'" 
        AND pass="'.$clave.'"
     ';

$mysqli->query($sql);

$mysqli->close();
?>

Or you can use PDO.

Solution 3:

The use of mysqli() functions should only be reserved for framework developers and others who are aware of all the safety issues it can bring. For everyone else, there's PDO. It's just as easy to use as mysqli(), and far safer.

Related

What SqlDbType maps to varBinary(max)?
Django connection to postgres by docker-compose
Is the :before pseudo-element allowed on an input[type=checkbox]?
What is the VTable Layout and VTable Pointer Location in C++ Objects in GCC 3.x and 4.x?
How to use KeyListener with JFrame?
Using contains on an ArrayList with integer arrays
How to flatten all items from a nested Java Collection into a single List?
INNER JOIN in UPDATE sql for DB2
Function-to-function-pointer "decay"
Error Inflating class com.google.android.maps.MapView
Grails3 file upload maxFileSize limit
Azure Function gives error: System.Drawing is not supported on this platform