Do quotes protect from sql injections?

Question

Please tell me if quotes protect from sql injections. I have such codes

mysqli_query($link, "SELECT `kredits` FROM `users` WHERE `mail` = '$mail' AND `password` = '$pass'"); mysqli_query($link, "INSERT INTO `vivod` (`summa`, `email`) VALUES ('$zsum', '$summal')");

Are they protected from sql injection? And if not, can mysqli_real_escape_string protect?

use prepared expressions and variable binding php.net/manual/ru/mysqli-stmt.bind-param.php and forget quotes and escape like a bad dream
Possible duplicate question: How to avoid SQL injections in PHP?

Answer 1 · 2018-04-27T12:10:59

No, do not protect. Try this:

 $db = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); //тут свои данные подставь $stmt = $this->db->prepare("SELECT `kredits` FROM `users` WHERE `mail` = ? AND `password` = ?"); $stmt->bind_param('ss', $email, $password); //s-string $stmt->execute();

Well, here's the documentation

Do quotes protect from sql injections?

1 answer 1

More articles: