Is mysql_real_escape_string() a Broken Function?
Concerns have been raised about the efficacy of mysql_real_escape_string() in mitigating SQL injection vulnerabilities, despite proper usage. Skeptics cite antiquated articles as evidence of its flaws.
Can mysql_real_escape_string() Still Be Utilized?
To answer this question, we delve into the MySQL C API documentation for mysql_real_escape_string():
"If you need to change the character set of the connection, use mysql_set_character_set() instead of executing SET NAMES."
Code Demonstration:
mysql_real_escape_string()
Explanation:
According to the documentation, mysql_set_character_set() affects the character set used by mysql_real_escape_string(), unlike SET NAMES. Therefore, you should use mysql_set_charset() to change the encoding in PHP applications.
Conclusion:
While mysql_real_escape_string() may not be completely broken, it is imperative to use it in conjunction with mysql_set_character_set() to ensure proper character set handling and prevent potential SQL injection vulnerabilities.
The above is the detailed content of Is `mysql_real_escape_string()` Still Secure Against SQL Injection?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
