change sql permission to prevent SQL injection

Question

I'm currently making a website using PHP and MYSQLi. And I've been read a lot about SQL injection. As answered on other questions from StackExchange, 2 ways of prevent it is by using prepared statement and escaping string. Since I'm not able to do prepared statement (I've tried to make it based on tutorials and videos but can't make it work) so I chose another way(escaping string). My question is, if I change permission for user at my SQL login page, to only able to do 'SELECT' query. Will it able to give me extra security measure to prevent user from DROP, ALTER, etc on my database. Because my website :-

1. Not require any user to register.
2. The only text field link to my query is for full text search function (which only use SELECT for the query and I have mysqli escape string on this text field).

Answer 1

It's always a good idea to give your application's database login only the permissions it needs. If it doesn't need to do inserts or updates, don't give it insert or update permission.

However, attackers may still be able to exploit SQL injection vulnerabilities to read unauthorized data using select statements, so you still need to protect your queries against that.

Answer 2

Unfortunately, you get it all wrong (which is no wonder, given all the tons of rubbish posted in Stack Overflow).

prevent it by escaping string.

It doesn't prevent injections

Will it able to give me extra security measure

No.

I'm not able to do prepared statement

Consider hiring a programmer then. Think of your customers. And your business, after all. If you, say, want to be a bus driver, you have to buy a bus - not making it out of wood logs and clay, endangering your passengers. Exactly the same thing here - if you need a site to sell your goods - buy a site, instead of making it yourself