Prepared Statements or mysqli->real_escape_string?

XML, Perl, Python, and other languages can be discussed here, even if it isn't PHP (We might forgive you).

Moderator: General Moderators

Post Reply
chidge
Forum Commoner
Posts: 29
Joined: Sat May 10, 2008 4:03 pm

Prepared Statements or mysqli->real_escape_string?

Post by chidge »

So for the dreaded SQL injections.

I have been using a homemade function that strips GPC if its on and then runs the variable through mysqli->real_escape_string the "safe" variables are then placed directly into the sql statement - up until now.

But I have just read a great new book saying that prepared statements are the way.

Is this just matter of preference or is one better than the other?

Newbie to Php here, I have read and now understand loads but the questions that can be asked here cant be answered in books!

Cheers
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Prepared Statements or mysqli->real_escape_string?

Post by Mordred »

Beware of the magic quotes, you're probably making this mistake: http://www.logris.org/security/the-curs ... gic-quotes

Tripping points for dynamic SQL queries: http://www.webappsec.org/projects/articles/091007.shtml

Prepared statements are okay, until you try to insert things which are not values, in which case you fall in the same dangerous territory as dynamic SQL queries, and the article above becomes relevant once more.
Post Reply