Assessing the Integrity of mysql_real_escape_string()
Concerns have been raised regarding the reliability of mysql_real_escape_string() in safeguarding database queries from SQL injection attacks. Critics reference older articles suggesting potential flaws in the function's ability to provide adequate protection.
MySQL's Documentation
The MySQL C API documentation for mysql_real_escape_string() acknowledges this concern:
If you need to change the character set of the connection, you should use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.
PHP's Counterpart
In PHP, mysql_set_charset() functions in a similar manner to MySQL's mysql_set_character_set() and serves as the PHP counterpart.
Proofcode
<?php
$str = "'mystring'";
// Set encoding
mysql_set_charset('utf8');
// Escape string with correct encoding
$escaped_str = mysql_real_escape_string($str);By utilizing mysql_set_charset() to modify the encoding before employing mysql_real_escape_string(), you ensure that the character set is correctly set and that the function operates as intended. This addresses concerns about potential vulnerabilities and allows mysql_real_escape_string() to effectively protect against SQL injection attacks.
The above is the detailed content of Is mysql_real_escape_string() Still a Reliable Protection Against SQL Injection?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
