Timeline for How can I prevent SQL injection in PHP?
Current License: CC BY-SA 4.0
18 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 17, 2022 at 7:55 | comment | added | Gregory R. |
use mysqli_real_escape_string instead
|
|
| May 9, 2019 at 3:05 | history | edited | Theodore R. Smith | CC BY-SA 4.0 |
Added appropriate warnings.
|
| Jul 7, 2017 at 14:55 | history | made wiki | Post Made Community Wiki by animuson♦ | ||
| May 23, 2017 at 12:34 | history | edited | URL Rewriter Bot |
replaced http://stackoverflow.com/ with https://stackoverflow.com/
|
|
| Mar 3, 2016 at 11:00 | comment | added | cjohansson | Ok the bypass says nothing about "To learn more about why prepared statements are better at stopping SQL injection, refer to this mysql_real_escape_string() bypass". Rather the opposite, that prepared statements suffer the same issues and PDO is not an exception. "It gets worse. PDO defaults to emulating prepared statements with MySQL. That means that on the client side, it basically does a sprintf through mysql_real_escape_string() (in the C library), which means the following will result in a successful injection:" | |
| Jun 1, 2015 at 13:45 | history | edited | Scott Arciszewski | CC BY-SA 3.0 |
Add disclaimer with references to back up the warnings.
|
| May 29, 2015 at 19:54 | comment | added | Scott Arciszewski | @rahularyansharma I'd like to request this be modified with a disclaimer: Prepared Statements are easier to use safely and are more secure from an engineering standpoint: the parameters and the query string are sent in separate packets, thus preventing the parameters from altering the query string. Also: stackoverflow.com/questions/5741187/… | |
| Apr 8, 2015 at 6:41 | comment | added | jww |
mysql_real_escape_string is now deprecated, so its no longer a viable option. It will be removed in the future from PHP. Its best to move onto what the PHP or MySQL folks recommend.
|
|
| Jun 16, 2014 at 14:58 | comment | added | user399666 | @eggyal Especially if you're messing around with different charsets. | |
| May 30, 2014 at 18:31 | history | edited | Peter Mortensen | CC BY-SA 3.0 |
Copy edited.
|
| Apr 25, 2014 at 14:50 | comment | added | eggyal |
WARNING! mysql_real_escape_string() is not infallible.
|
|
| Mar 12, 2014 at 22:38 | comment | added | Nazca | you dont use functions to write correct input data-strings. You just write correct ones that don't need escaping or have already been escaped. mysql_real_escape_string() may have been designed with the purpose you mention in mind, but its only value is preventing injection. | |
| Jul 9, 2013 at 5:01 | comment | added | sectus |
I am not agree with this 'a specially-made function to prevent these attacks'. I think that mysql_real_escape_string purpose is in allow to build correct SQL query for every input data-string. Prevention sql-injection is the side-effect of this function.
|
|
| Feb 26, 2013 at 12:42 | comment | added | Álvaro González | This is the best you can do with legacy mysql extension. For new code, you're advised to switch to mysqli or PDO. | |
| S Feb 18, 2013 at 6:58 | history | suggested | Tony Stark | CC BY-SA 3.0 |
add link & minor formatting changes
|
| Feb 18, 2013 at 6:54 | review | Suggested edits | |||
| S Feb 18, 2013 at 6:58 | |||||
| Jun 20, 2011 at 18:39 | history | edited | gnur | CC BY-SA 3.0 |
added code tags
|
| Jun 17, 2011 at 4:00 | history | answered | rahularyansharma | CC BY-SA 3.0 |