mysqlの実際のエスケープ文字列は間違い

Question

私は私が私の変数にmysql_real_escape_stringのを追加するかどうかを知りたい

$get_id = "select * from `book` where id='".$mysqli->real_escape_string($id)."' limit 1"; 

Answer 1

SQLインジェクションを解決するのに十分だと、SQLインジェクションを解決いいえ、そうではありません。準備されたステートメントを使用する。

// Your connection settings 
$connData = ["localhost", "user", "pass", "database"]; 

$conn = new mysqli($connData[0], $connData[1], $connData[2], $connData[3]); 
$conn->set_charset("utf8"); 

if ($conn->connect_error) { 
    die("Connection failed: " . $conn->connect_error); 
} 

// Here we explain MySQL which will be the query 
$stmt = $conn->prepare("select * from book where id=? limit 1"); 

// Here we tell PHP which variable hash de "?" value. Also you tell PHP that $id has an integer ("i") 
$stmt->bind_param("i", $id); 

// Here we bind the columns of the query to PHP variables 
$stmt->bind_result($column1, $column2, ...); // <--- Whichever columns you have 

// Here we execute the query and store the result 
$stmt->execute(); 
$stmt->store_result(); 

// Here we store the results of each row in our PHP variables ($column1, column2, ...) 
while($stmt->fetch()){ 
    // Now we can do whatever we want (store in array, echo, etc) 
    echo "<p>$column1 - $column2 - ...</p>"; 
} 

$stmt->close(); 
$conn->close();