Preventing SQL injection: is mysql_real_escape_string() really all I need?

views:

201

answers:

+1 Q:

Preventing SQL injection: is mysql_real_escape_string() really all I need?

Possible Duplicate:
Best way to stop SQL Injection in PHP

It seems far too good to be true to me that this simple function does all I need. Yet most of my google searches lead to results that basically say "just use this function and all will be well!".

I've seen a couple that briefly, or at too high a level for my own beginner mind to quite grasp, talk about parameterized SQL statements. Are these necessary, and if so, can someone point me to a good link?

+1 A:

An alternative viewpoint: http://littlebobbytables.com/

Edit: wow, that's totally the wrong website: try this one: http://bobby-tables.com/

lod3n 2009-10-08 02:46:40

That has a domain now? Awesome!

alex 2009-10-08 02:48:19

I was wondering... that link is much more helpful but I didn't see anything on PHP. :\

Chris Sobolewski 2009-10-08 04:46:07

@Chris Sobolewski; for PHP look at the mysqli and PDO extensions.

Inshallah 2009-10-08 09:23:05

It will be all you need provided you don't change the character set of the database, IIRC.

alex 2009-10-08 02:46:41

Have a look at this question, excellent accepted answer: http://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysqlrealescapestring-keep-my-php-code-safe-from-injec

ryeguy 2009-10-08 03:00:17

Would have been better as a comment, no?

musicfreak 2009-10-08 03:42:42

Not really, it answers his question.

ryeguy 2009-10-08 12:58:57

ansaurus

tags:

views:

answers:

Preventing SQL injection: is mysql_real_escape_string() really all I need?

related questions