Are MySQLi Prepared Statements sufficient to prevent SQL injection?

A sibling question has been asked here. I am seeking perspective specific to the MySQLi extension.

In the linked sibling question, the paraphrased conclusion is no, PDO prepared statements are not 100% sufficient to prevent SQL injection. There are certain edge cases and PDO settings that are vulnerable to SQL injection.

My question is, are MySQLi prepared statements 100% sufficient to prevent SQL injection, or does that also have certain settings that we need to update to be totally safe?

Thanks for any help!


Prepared statements are a server feature, not a client library feature. Each mysql client library for PHP - pdo, mysql, and mysqli - use the libmysqlclient library and rely on that for features. PDO is the only library that adds the concept of emulated prepared statements.

All discussions about the security of using prepared statements apply to all client libraries equally. (except for PDO when it uses emulated prepared statements and you are saving data in gbk charset and you mismatch the charset setting at the server and the client library (incidentally this is the only known weakness against addslashes as well))


Yes, prepared statements are sufficient to prevent SQL injection, but only if you always use them.

No, prepared statements are not sufficient to prevent SQL injection, as not all statements are parameterizable, for example some set commands, however this can be mitigated with white lists and/or regexp.

链接地址: http://www.djcxy.com/p/93772.html

上一篇: PDO Prepared Statement和SQL LIKE多个值

下一篇: MySQLi准备好的语句足以防止SQL注入吗?