Is using mysql_real_escape_string enough to prevent SQL injections in PHP?

Using `mysql_real_escape_string` is not enough to prevent SQL injections in PHP. It is recommended to use prepared statements with parameterized queries to fully protect against SQL injections. Prepared statements separate SQL code from user input, making it impossible for an attacker to inject malicious SQL code.

// Establish a connection to the database
$mysqli = new mysqli(&quot;localhost&quot;, &quot;username&quot;, &quot;password&quot;, &quot;database&quot;);

// Check connection
if ($mysqli-&gt;connect_error) {
    die(&quot;Connection failed: &quot; . $mysqli-&gt;connect_error);
}

// Using prepared statements to prevent SQL injections
$stmt = $mysqli-&gt;prepare(&quot;SELECT * FROM users WHERE username = ?&quot;);
$stmt-&gt;bind_param(&quot;s&quot;, $username);

// Set parameters and execute
$username = $_POST[&#039;username&#039;];
$stmt-&gt;execute();

// Fetch result
$result = $stmt-&gt;get_result();
while ($row = $result-&gt;fetch_assoc()) {
    // Process the fetched data
}

// Close statement and connection
$stmt-&gt;close();
$mysqli-&gt;close();

Keywords

mysql_real_escape_string SQL injections PHP security prevention

Is using mysql_real_escape_string enough to prevent SQL injections in PHP?

Keywords

Related Questions