Quick MySQLi security question [duplicate]

2019-07-05 15:02发布

Possible Duplicate:
Do I have to use mysql_real_escape_string if I bind parameters?

I have a quick MySQLi security related question...

For example, take a look at this code (gets input from the user, checks it against the database to see if the username/password combination exist):

$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);

// query db
if ($stmt = $mysqli->prepare("SELECT * FROM members WHERE username=? AND password = ?"))
{
    $stmt->bind_param("ss", $input['user'], md5($input['pass'] . $config['salt']));
    $stmt->execute();
    $stmt->store_result();

    // check if there is a match in the database for the user/password combination
    if ($stmt->num_rows > 0)
    {}
}

In this case, I am using htmlentities() on the form data, and using a MySQLi prepared statement. Do I still need to be using mysql_real_escape_string()?

2条回答
SAY GOODBYE
2楼-- · 2019-07-05 15:32

No, you do not need to use mysql_real_escape_string if you are binding the parameters using prepared statements. In fact using it will give you the wrong result as the escaped data will be inserted into the database. mysql_real_escape_string is needed when the parameter is written directly into the SQL string without using parameters.

查看更多
对你真心纯属浪费
3楼-- · 2019-07-05 15:41

Yes since there are non html related entities that can cause harm to your database that real escape string catches. Like UTF-8 characters.

But as noted here in the comments you are using mysqli prepare and that is enough.

BTW MySQLi has it's own escape string function. if you are interested.

查看更多
登录 后发表回答