Is it possible to hack mysql_real_escape_string() Htmlspecialchars()? [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 9 years ago.

I'm using mysql_real_escape_string() and Htmlspecialchars() functions in my PHP code to make it secure against sql-injection and XSS. Is there any possibility to hack these functions? If yes, can you describe how it can be done so that I can improve my code.

Thank you very much.

Answer 1

If your PHP is updated try to use mysqli or PDO and prepared statements

But to answer your question, YES mysql_real_escape_string() can be injected, but it's very complicated to do so. Here's a example

Answer 2

The first thing you want to do to prevent SQL injections is Using PDO and prepared statements. or at least Mysqli, as mysql is deprecated, the migration to mysqli is very very easy and it's optimized

If you use mysql_real_escape_strings you should be safe, as long as you escape correctly and wherever you really need it, remember that in most cases the mistake is human side, and not because of the functions :P