Asked 3 years ago
28 Jul 2021
Views 442
Otis

Otis posted

Is SQL injection possible with mysqli_real_escape_string?

Is SQL injection possible with mysqli_real_escape_string?
debugger

debugger
answered Feb 27 '23 00:00

No, SQL injection is generally not possible when using mysqli_real_escape_string properly.

mysqli_real_escape_string is a function provided by the mysqli extension in PHP that is used to escape special characters in strings before

in SQL queries. When a string is passed through this function, any characters that could potentially be used to execute SQL code are escaped with a backslash, so that they are treated as literal characters rather than code.

For example, if a user inputs a string like "'; DROP TABLE users; --", which could potentially be used to execute a destructive SQL command , mysqli_real_escape_string would escape the special characters so that they are treated as part of the string rather than part of the SQL code :

$input = "'; DROP TABLE users; --";
$escaped_input = mysqli_real_escape_string($connection, $input);
// $escaped_input is now "\'; DROP TABLE users; --"



However, it is important to note that mysqli_real_escape_string is not foolproof, and there are situations where SQL injection attacks can still occur. For example, if the input is not properly sanitized or validated before being passed to the function, or if the SQL query is constructed dynamically using string concatenation, rather than using prepared statements or parameterized queries, SQL injection attacks may still be possible.

Therefore, it is important to use mysqli_real_escape_string along with other security measures, such as parameterized queries, to protect against SQL injection attacks.



Post Answer