mysqli_real_escape_string not safe ?

[olypros]

i know mysql_real_escape_string is not safe

But the mysqli safe ? (improved version ).

Give me one example that will get around this ? $id = mysqli_real_escape_string($con,htmlentities(trim($id))); "SELECT * from table where id = '$id' "

[mrivanova]

Hi :)

"But the mysqli safe ?" mysqli_real_escape_string can be circumvented, but only in very obscure situations (not likely to apply to you or most everyone else).

More info in this answer: http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string/12118602#12118602

so never set charset with a query like this one 'SET NAMES {charset}' Use mysqli_set_charset or mysqli_options($link, MYSQLI_SET_CHARSET_NAME, "{charset}");

[laurent22]

There's also the issue of long term maintenance. If you use concatenated queries, even if correctly escaped, future developers are more likely to make mistakes. There's a discussion about it there: https://github.com/laurent22/so-sql-injections/issues/3

[olypros]

yeah apart from maintenance . Technically there is no security flaws in between mysqli (not mysql) and prepared statements i think.