Abubakkar Rangara Abubakkar Rangara - 10 months ago 31
SQL Question

Is is safe to use mysql_* functions if PDO and mysqli is not available?

I have a website hosted on a shared hosting.
They have php 5.2.13 installed.

I know the vulnerabilities of SQL Injection and I want to prevent it.

So I want to use PDO or mysqli for preventing it.

But the problem when I used

to view the hosting environment php setup info,

I found that there was no mysql driver for PDO and there was no support for mysqli in it.

So I wanted to know whether it will be safe to use that old mysql_* functions( along with
functions like

I looked at this one on SO but it wasn't much helpful to me.
Prepared statements possible when mysqli and PDO are not available?


I forgot to mention that most of the queries will be simple. There are no forms used so no user input will be used to make a query. All the queries will be hard coded with necessary parameters and they will not be changed once set.


If you're really rigorous about always using mysql_real_escape_string() with all user-supplied input then I think you should be safe from any SQL injection that prepared statements protects you from.

How perfect are you at this? I'll bet most of the buffer overflow vulnerabilities were created by programmers who thought they were good at checking inputs....