I have an android app and it is connected to a php page with post method And I'm using mysqli_real_escape_string, as user can't see any error while logging in to my app in android,
Is escape string enough to prevent sql injection in my case ?
Am Using volley in android to post data
$email = $_POST['email'];
$email = mysqli_real_escape_string($con,$email);
答案 0 :(得分:0)
It depends on whether the variable is inside a string or not, if it is then you're fairly safe but there should be no reason just to implement prepared statements instead. Read more about it here: http://php.net/manual/en/mysqli.prepare.php
Example below is from that site.
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$city = "Amersfoort";
/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {
/* bind parameters for markers */
$stmt->bind_param("s", $city);
/* execute query */
$stmt->execute();
/* bind result variables */
$stmt->bind_result($district);
/* fetch value */
$stmt->fetch();
printf("%s is in district %s\n", $city, $district);
/* close statement */
$stmt->close();
}
/* close connection */
$mysqli->close();
?>