Is mysqli_real_escape_string enough to prevent SQL injection?

I have the following php script to insert a form user input data into the database. Is mysqli_real_escape_string enough to prevent SQL injection if I don't wish to use prepared statements to bind parameters to "?" placeholder?

   <?php
   $link = mysqli_connect("localhost", "root", "", "bizcontact");

   $name = mysqli_real_escape_string($link, $_POST['name']);
   $company = mysqli_real_escape_string($link, $_POST['company']);
   $position = mysqli_real_escape_string($link, $_POST['position']);
   $contact = mysqli_real_escape_string($link, $_POST['contact']);
   $email = mysqli_real_escape_string($link, $_POST['email']);
   $gender = mysqli_real_escape_string($link, $_POST['gender']);

   /* check connection */
   if (mysqli_connect_errno()) {
   printf("Connect failed: %s\n", mysqli_connect_error());
   exit();
   }

   $sql = "INSERT INTO businesscontact(name, company, position, phone,  email, gender) VALUES('$name', '$company', '$position', '$contact', '$email',  '$gender')";
   if (mysqli_query($link, $sql)){
   echo "success";
   }else{
   echo(mysqli_error($link));
   };

   /* close connection */
   mysqli_close($link);
   ?>

UPDATE

    $stmt = $link->prepare("INSERT INTO businesscontact(name, company, position, phone, email, gender) VALUES(?,?,?,?,?,?)");
    $stmt-> bind_param("ssssss", $name, $company, $position, $contact,  $email, $gender);
    if($stmt->execute()){
    echo "success";
   }else{
    echo(mysqli_error($link));
   }

edited Mar 9, 2017 at 16:32

asked Mar 9, 2017 at 15:54

Kayden

1333 silver badges16 bronze badges

Escaping the string is not safe. Check this out.

Jay Blanchard
– Jay Blanchard

2017-03-09 15:55:29 +00:00
Commented Mar 9, 2017 at 15:55
@JayBlanchard Can now add multiple dupe reasons. I added that Q as a second dupe

Machavity
– Machavity ♦

2017-03-09 16:03:58 +00:00
Commented Mar 9, 2017 at 16:03
Awesome @Machavity. I didn't know that.

Jay Blanchard
– Jay Blanchard

2017-03-09 16:06:29 +00:00
Commented Mar 9, 2017 at 16:06
@JayBlanchard Would the prepared statement that I've updated above be better? Or how can I improve it to make it more secure?

Kayden
– Kayden

2017-03-09 16:33:38 +00:00
Commented Mar 9, 2017 at 16:33
It' is OK regarding the query itself but you can improve the security by preventing an error text to be leaked to a hacker.

Your Common Sense
– Your Common Sense

2017-03-09 16:37:47 +00:00
Commented Mar 9, 2017 at 16:37

Add a comment |

0

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Collectives™ on Stack Overflow

Is mysqli_real_escape_string enough to prevent SQL injection? [duplicate]

0

Linked

Hot Network Questions