Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SQL Inject / mysqli_real_escape_string
#1
How to prevent sql injection using something other than mysqli_real_escape_string and statements of mysqli?
Reply
#2
I guess you mean "prepared statements"? Why can't you make use of them?

The alternative is of course to never directly put any user input into the query. This can be accomplished by comparing the input against certain, known constants, and setting a matching constant in the query.

E.g.
Code:
if ($_GET['input'] === "test") {
    myvar = "testconstant";
}
else if (... === "test") {
    myvar = "testconstant";
}
mysql_execute("SELECT * FROM x WHERE y='$myvar'");

Other alternatives include running intval() or similar on the variables, so that you know that the result will be only a number.
Reply
 


Possibly Related Threads...
Thread Author Replies Views Last Post
  How to parse sql databases pker2theend 0 97 11-22-2018, 09:58 PM
Last Post: pker2theend



Users browsing this thread: 1 Guest(s)