MySQLi multi_query Security Precautions

Question

I am setting up a couple of MySQLi multi_query function. I know you can't use prepared statements with multi_query, so I wanted to know what security precautions is recommended to use with muti_query.

real_escape_string()?

Input escaping is not a precaution, it's a requirement for producing a valid query that will execute at all. — Dan Grossman, Feb 05 '11 at 16:41

score 1 · Answer 1 · edited May 23 '17 at 12:29

1

In fact, [mysqli_]real_escape_string() has nothing to do with security. It's more like syntax formatter.

For the complete guide on securing queries refer to this my answer: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

edited May 23 '17 at 12:29

Community

1
1

answered Feb 05 '11 at 16:42

Your Common Sense

154,967
38
205
325

score 0 · Accepted Answer · answered Feb 05 '11 at 16:42

Pretty much yes. Especially given, that multi_query() allows for 'exploits of a mum' type of injection. So yeah:

Escape strings
Cast inetgers to integers and floats to floats
If possible, assign your application privileges to SELECT, UPDATE, INSERT and DELETE only.

MySQLi multi_query Security Precautions

2 Answers2