safe. Consider the following example $id = mysqli_real_escape_string("1 OR 1=1"); $sql = 'SELECT * FROM table WHERE id = ' . $id; 1 OR 1=1 does not represent data that MySQL will escape, yet this still represents SQL injection. There are other
examples as well that represent places where it returns unsafe data. The problem is that MySQL's escaping function is designed to make data comply with SQL syntax. It's NOT designed to make sure that MySQL can't confuse user data for SQL instructions.
Section 59.6: Debugging SQL in MySQLi So your query has failed (see MySQLi connect for how we made $conn) $result = $conn->query('SELECT * FROM non_existent_table'); // This query will fail
How do we find out what happened? $result is false so that's no help. Thankfully the connect $conn can tell us what MySQL told us about the failure trigger_error($conn->error);
or procedural trigger_error(mysqli_error($conn));
You should get an error similar to Table 'my_db.non_existent_table' doesn't exist
Section 59.7: MySQLi query The query function takes a valid SQL string and executes it directly against the database connection $conn Object oriented style $result = $conn->query("SELECT * FROM `people`");
Procedural style $result = mysqli_query($conn, "SELECT * FROM `people`");
CAUTION A common problem here is that people will simply execute the query and expect it to work (i.e. return a mysqli_stmt object). Since this function takes only a string, you're building the query first yourself. If there are any mistakes in the SQL at all, the MySQL compiler will fail, at which point this function will return false. $result = $conn->query('SELECT * FROM non_existent_table'); // This query will fail $row = $result->fetch_assoc();
GoalKicker.com – PHP Notes for Professionals
311