Page 1 of 1

Prepared Statements or mysqli->real_escape_string?

Posted: Thu May 15, 2008 10:51 am
by chidge
So for the dreaded SQL injections.

I have been using a homemade function that strips GPC if its on and then runs the variable through mysqli->real_escape_string the "safe" variables are then placed directly into the sql statement - up until now.

But I have just read a great new book saying that prepared statements are the way.

Is this just matter of preference or is one better than the other?

Newbie to Php here, I have read and now understand loads but the questions that can be asked here cant be answered in books!

Cheers

Re: Prepared Statements or mysqli->real_escape_string?

Posted: Fri May 16, 2008 12:53 pm
by Mordred
Beware of the magic quotes, you're probably making this mistake: http://www.logris.org/security/the-curs ... gic-quotes

Tripping points for dynamic SQL queries: http://www.webappsec.org/projects/articles/091007.shtml

Prepared statements are okay, until you try to insert things which are not values, in which case you fall in the same dangerous territory as dynamic SQL queries, and the article above becomes relevant once more.