[Solved] plain mysql prepare statement prevent injection attack?

Question

[I assume that you meant $mysqli is mysqli connection.]

Although the execution of stmt1 (the last of your three queries) is safe, the multi-query function you wrote is very unsafe. Running something like

userQuery("'; delete from user; select * from user where username="");

will actually delete all users from your user table. Assuming $username represents raw user input without proper escaping, the consequences can be catastrophic.

You could possibly improve the above and do the escaping on your own using mysqli::real_escape_string, but there are many more sophisticated ways to do hacks like one above. Prepared statements are all in all a better solution.

Accepted Answer

[I assume that you meant $mysqli is mysqli connection.]

Although the execution of stmt1 (the last of your three queries) is safe, the multi-query function you wrote is very unsafe. Running something like

userQuery("'; delete from user; select * from user where username="");

will actually delete all users from your user table. Assuming $username represents raw user input without proper escaping, the consequences can be catastrophic.

You could possibly improve the above and do the escaping on your own using mysqli::real_escape_string, but there are many more sophisticated ways to do hacks like one above. Prepared statements are all in all a better solution.