Is `mysql_real_escape_string()` Really Flawed, or Just Misunderstood?

Is mysql_real_escape_string() Fatal Flawed?

Despite claims of its unreliability, mysql_real_escape_string() remains a valuable tool for creating your own prepared statements. Here's a breakdown of its functionality and how to use it effectively.

mysql_real_escape_string() Explained

The MySQL C API documentation states: "If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement."

This means that to correctly utilize mysql_real_escape_string(), you should use mysql_set_charset(). PHP's mysql_set_charset() mirrors MySQL's mysql_set_character_set().

Proof Code

<?php
$mysqli = new mysqli("localhost", "username", "password", "database");

// Set the character set using mysql_set_charset()
$mysqli->set_charset("utf8mb4");

// Prepared statement using mysql_real_escape_string()
$stmt = $mysqli->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param('s', mysql_real_escape_string($_GET['username']));
$stmt->execute();
?>

In this example, mysql_set_charset() ensures that the connection uses the utf8mb4 character set. This allows mysql_real_escape_string() to properly handle characters that might otherwise be vulnerable to SQL injection.

Conclusion

While it's important to understand the limitations of mysql_real_escape_string(), using it in conjunction with mysql_set_charset() allows you to effectively create your own prepared statements. By taking these steps, you can mitigate the risks of SQL injection and maintain the security of your applications.

The above is the detailed content of Is `mysql_real_escape_string()` Really Flawed, or Just Misunderstood?. For more information, please follow other related articles on the PHP Chinese website!