Home >Database >Mysql Tutorial >Is `mysql_real_escape_string()` Still Secure Against SQL Injection?

Is `mysql_real_escape_string()` Still Secure Against SQL Injection?

Susan Sarandon
Susan SarandonOriginal
2024-12-07 14:41:11832browse

Is `mysql_real_escape_string()` Still Secure Against SQL Injection?

Is mysql_real_escape_string() a Broken Function?

Concerns have been raised about the efficacy of mysql_real_escape_string() in mitigating SQL injection vulnerabilities, despite proper usage. Skeptics cite antiquated articles as evidence of its flaws.

Can mysql_real_escape_string() Still Be Utilized?

To answer this question, we delve into the MySQL C API documentation for mysql_real_escape_string():

"If you need to change the character set of the connection, use mysql_set_character_set() instead of executing SET NAMES."

Code Demonstration:

mysql_real_escape_string()

Explanation:

According to the documentation, mysql_set_character_set() affects the character set used by mysql_real_escape_string(), unlike SET NAMES. Therefore, you should use mysql_set_charset() to change the encoding in PHP applications.

Conclusion:

While mysql_real_escape_string() may not be completely broken, it is imperative to use it in conjunction with mysql_set_character_set() to ensure proper character set handling and prevent potential SQL injection vulnerabilities.

The above is the detailed content of Is `mysql_real_escape_string()` Still Secure Against SQL Injection?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn