Menu
Is the following good enough to avoid a SQL injection?
mysql_real_escape_string(htmlentities (urlencode($_POST['postmessage'])));
483
SQL injection attacks pose a serious security threat to organizations. A successful SQL injection attack can result in confidential data being deleted, lost or stolen; websites being defaced; unauthorized access to systems or accounts and, ultimately, compromise of individual machines or entire networks.
SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.
The short answer is NO, PDO prepares will not defend you from all possible SQL-Injection attacks.
Conclusions. Parameterized queries solve SQL Injection vulnerabilities. This example uses PDO to fix the vulnerability but you can still use mysqli functions to prevent SQL Injection.
mysql_real_escape_string() is the only method you need here.
You shouldn't do an htmlentities() nor urlencode() before inserting data in your database. These methods are usually code executed during the rendering of the view you offer to your users.
A better way to avoid SQL injection is the use of prepared statements.
Resources:
On the same topic:
110
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
