Does encryption protect against sql injection?

Question

does using a hash on a value before inserting it into an SQL query protect against sql injection without even having to use mysql_real_escape_string? (assuming you were to do this for your entire site)

Edit: to be specific the purpose is to take a key from the user and hash it before comparing it to other hashed columns in my table, then retrieve a another column value where the hashes match. Sorry for not specifying

Answer 1

Yes, but it'll also make your data useless. :P Remember, hashing is one-way, so you wouldn't be able to get the meaningful data back. Encryption is two way, and that's probably what you really meant.

I think using prepared SQL statements is a more widely accepted solution for this sort of thing. See this question.

Answer 2

Yes, but once you hash the information, you can't regenerate the information from the hash. Use an encoding method instead.

Also, mysql_* functions are (or soon will be) deprecated. You should consider switching to mysqli or PDO. If you're a lazy bum (like me), you can use the mysqli procedural style which is almost identical to the original mysql_ functions.