Question

I'm having sql query as

$login = mysql_real_escape_string(GetFromPost('login'));
$password = mysql_real_escape_string(GetFromPost('password'));

I see somehwere these leads to hack and possible to hack even with mysql_real_escape_string() function used. But I cannot think of any possible exploit?

Comments

Hello @Rohan

 You can use prepared statements because the security provision, performance benefits of statement re-use, standardised coding, and library maintainance always out-weigh any other alternative 'short-cut' method.

---

Thank you for this but Servers don't really do automatic updates as you claimed. Most servers are running LTS versions of Linux so they are still running relatively old PHP versions (lots of servers still on PHP 5.1 or 5.2). If they remove it in the next major release of PHP, there will be enough time to stop using mysql_* functions (and seriously nobody has been using it for years, it's only in legacy code) as it will take time (probably few years) until the new release is rolled into LTS releases

---

With ints there might be an even better way than that: rather than checking, simply turn it into what you're expecting. $value = (int) $value; or $value = intval($value);. It handles things like negative signs, which ctype_digit won't

---

Is mysqli_real_escape_string() helps then?

---

Yes, you can because mysqli_real_escape_string()  just remove that extension in PHP 7.0