What characters are NOT escaped using the prepared mysqli statement?

Question

What characters are NOT escaped using the prepared mysqli statement?

I am trying to pin some of my PHP code and use prepared mysqli statements to better verify user input and prevent injection.

I switched from mysqli_real_escape_string since it does not escape% and _ . However, when I create my query as a prepared mysqli statement, the same flaw is still present. The request pulls out the value of the user cell based on their username. I would do something similar for passwords and other searches.

the code:

$db = new sitedatalayer();

if ($stmt = $db->_conn->prepare("SELECT `salt` FROM admins WHERE `username` LIKE ? LIMIT 1")) {

  $stmt->bind_param('s', $username);
  $stmt->execute();
  $stmt->bind_result($salt);


  while ($stmt->fetch()) { 
    printf("%s\n", $salt);
  } 

  $stmt->close();    

}

else return false;

Am I composing the expression correctly?
If I, what other characters should be considered? What other disadvantages exist?
What is best for these types of choices?

Thank,

+4

security php mysqli prepared-statement

barfoon 14 . '10 15:58

4

.

LIKE '%' '_' .

, (, ) , SQL. , LIKE , . , .

, = LIKE.

LIKE ( LIMIT 1 ), .

+1

Tomalak 14 . '10 16:07

, LIKE , .

And just for your information: native trained operators avoid nothing .

-1

Your common sense Jun 14 '10 at 16:08

source share

These are characters that are not escaped by prepared% _ \ operators

-1

SCC Feb 28 '14 at 7:36

source share

VoteyDisciple · Accepted Answer · 2010-06-14T16:04:56+0000

% .

: LIKE ? - , ?

:

SELECT `salt` FROM admins WHERE `username` = ? LIMIT 1

, %bsmith, () "% bsmith", .

What characters are NOT escaped using the prepared mysqli statement?

More articles: