Is mysql_real_escape_string enough?

MatthewHSE · July 20, 2011, 7:56pm

Just a quick question regarding PHP/MySQL security:

Does mysql_real_escape_string() provide sufficient protection to safely write user-submitted data to a database without any further validation? In other words, would the following be considered secure code:

<?php
$data = mysql_real_escape_string($_POST['BigTextField']);
mysql_query("INSERT INTO Table SET BigTextField='$data'");
?>

I’m aware this could cause problems if/when the data is retrieved and displayed to users, but right now I’m mainly concerned if this code is secure from the standpoint of MySQL or PHP injection attacks.

Paul_Wilkins · July 21, 2011, 1:32am

mysql_real_escape_string only protects the database from potential dangers within the string. If you want to protect your web page from potential dangers in the string, you will need to separately escape the string for the web page by using [URL=“http://php.net/manual/en/function.htmlentities.php”]htmlentities, or [URL=“http://php.net/manual/en/function.htmlspecialchars.php”]htmlspecialchars

felgall · July 22, 2011, 2:03am

An even better way to protect your database from injection is to make it impossible by keeping the SQL and data separate by using prepare and bind statements - either using mysqli or PDO. That eliminates even those attacks that might get past mysql_real_escape_string.