Is `mysql_real_escape_string` a Reliable Defense Against SQL Injection?

The Drawbacks of mysql_real_escape_string

While mysql_real_escape_string provides a form of filtering input data to prevent SQL injection attacks, its limitations warrant attention.

Concatenating Queries:
As mentioned, concatenating queries using mysql_real_escape_string does not fully shield against SQL injection. Consider the following example:

mysql_query('DELETE FROM users WHERE user_id = '.mysql_real_escape_string($input));

Input such as "5 OR 1=1" can bypass the safeguards provided by mysql_real_escape_string due to incorrect usage, treating a numeric value as a string.

Narrow Scope:
mysql_real_escape_string is designed specifically for modifying string values intended for inclusion within quoted strings in an SQL statement.

$value = mysql_real_escape_string($value, $link);
$sql = "... `foo` = '$value' ...";

If employed outside this narrow context, mysql_real_escape_string may inadvertently create syntax errors or XSS vulnerabilities.

Charset Discrepancies:
Setting the database connection encoding incorrectly can introduce vulnerabilities. Using mysql_query("SET NAMES 'utf8'", $link) to set the character encoding can lead to discrepancies between how the mysql_ API handles strings and how the database interprets them.

Incorrect Implementation:
mysql_real_escape_string is prone to incorrect usage, such as:

• Applying it to values not enclosed in quotes
• Including it within the SQL query itself
• Misinterpreting it as a replacement for prepared statements

While mysql_real_escape_string can provide protection against injection attacks when used correctly, it is recommended to adopt more robust techniques, such as prepared statements, to ensure comprehensive safety.

The above is the detailed content of Is `mysql_real_escape_string` a Reliable Defense Against SQL Injection?. For more information, please follow other related articles on the PHP Chinese website!