SQL Injection and mysqli_real_escape_string()

September 7, 2012

There’s a lot of misinformation out and about when it comes to security, which is truly unfortunate. I particularly see misunderstandings when it comes to whether or not the mysqli_real_escape_string() function actually protects you from SQL injection attacks. (Some people erroneously argue that you shouldn’t use mysqli_real_escape_string() and should only use prepared statements.) I recently found a good, in-depth discussion of this specific issue on, not-surprisingly, Stack Overflow.

You can read the whole page, of course (but be careful of the other misinformation demonstrated), but the best, most thorough answer is explained about midway down the page. Spoiler alert: yes, mysqli_real_escape_string() can be circumvented, but only in very obscure situations not likely to apply to you or most everyone else.