18-07-2015, 11:59 PMCrg97 Wrote: Is mysqli_real_escape_string safe?
Fuck the dude that told you to google it.
The definition of the function - Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection.
Which means, in a situation like this:
Code:
$id = "' or 1=1-- -'";
$x = $con->query("SELECT * FROM cats WHERE id='".mysqli_real_escape_string($id)."'");
But, if it's like this:
Code:
$id = "1 or 1=1";
$x = $con->query("SELECT * FROM cats WHERE id=".mysqli_real_escape_string($id));
This will not do anything, since there arent any special characters in $id, but is still an SQLi and you can do everything that you can do with a string-based SQLi.