On the Internet, I found only one way to crack the Mysql database - sql-injection. However, in the same place I found a solution how to prevent unwanted characters from entering mysql_query :

 $query = sprintf("SELECT * FROM sometable WHERE somevar='%s'", mysql_real_escape_string($var)); mysql_query($query);

Nevertheless, many people strongly recommend switching to other extensions for working with Mysql (PDO, for example), considering the original API to be a priori unsafe and not sufficiently functional. I'm not complaining about the latter, but safety is important to me.

And here is the question: Has the code given above completely protected me from hacker attacks? If not, is it possible for me to be fully secure without going over to other extensions?

  • The mysql extension for php was officially declared obsolete a few years ago ( php.net/manual/ru/function.mysql-query.php right in the red box above it is written). If I'm not mistaken, in current versions of PHP 7. * it is already missing. So it's not just that "people say." But it is not necessary to switch to PDO, you can simply use mysqli in the same way. - Ivan Pshenitsyn
  • one
    He himself recently asked a similar question, and stopped at pdo. phpfaq.ru/pdo A bit of information - user190134
  • 2
    Basically secured. From sql injection. But they didn’t protect them from the problems of transferring other hosting, especially in the future, when there will be less and less hosting sites where in php there will be mysql_ * functions. Plus, the massive execution of requests with different text overflows the cache of requests and leads to degradation of the performance of the server as a whole. when using pdo and bindParam, there is also no such problem, because there are not many queries, instead of parameters in the texts there are question marks. - Mike

3 answers 3

If we consider the situation only in the context of "security requests from hacker attacks", then the answer is: "Yes, the code above, completely protected against hacker attacks."

However, when developing the remaining moments, you also need to consider

    To protect against SQL injection, go to the PDO or mysqli extension and use the bindParam function.

    The mysql_* functions are mysql_* and are no longer supported.

    PDO Usage Example

     <?php /* Выполнение запроса с привязкой PHP переменных */ $calories = 150; $colour = 'red'; $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour'); $sth->bindParam(':calories', $calories, PDO::PARAM_INT); $sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12); $sth->execute();

    Documentation

    Example for mysqli

     <?php $sql = 'SELECT id, lastname FROM customers WHERE category = ? AND lastname LIKE ?'; $stmt = $conn->prepare($sql); $category_id = 1; $lastname = '%Smith%'; /* Bind параметры. Типы: s = string, i = integer, d = double, b = blob */ $stmt->bind_param('is', $category_id, $lastname); $stmt->execute();

    Documentation

      No, you are not completely secure. You are not safe from direct connection to your MySQL server. Limit IP addresses from which you can connect to your database, both in MySQL user settings and in the firewall settings.