I want to know if i can use mysqli_real_escape_string on secound way. Usualy i use it like this:
$name = $_POST['name'];
$nameSecure = mysqli_real_escape_string($name);
$sql = "SELECT * FROM persions WHERE firstname = {$name}";
$con->query($sql);
But when i have more $_POST can i use mysqli_real_escape_string on this way:
$name = $_POST['name'];
$sql = "SELECT * FROM persions WHERE firstname = {$name}";
$con->query(mysqli_real_escape_string($sql));
Is any differance between this two method? Actualy i didnt see anybody use secound way. Can i use secound way and is it any differance in security between this two methods?
Is any differance between this two method?
Yes. The first method just escapes the $name
string while the second escapes the entire query string.
While this is not a problem for your specific query, it could be a problem for queries, such as:
SELECT * FROM table WHERE name = 'string';
Since mysqli_real_escape_string
would escape the quotes, resulting in the query:
SELECT * FROM table WHERE name = \'string\';
On a related note, I would encourage you to read about Prepared Statements .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.