Hi all :),
What are the best practices when it comes to writing to mysql
to deal with
Special characters as
// escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
PDO Prepared Statements (of which I know nothing !)
How do you write to mysql ?
Thanks for any advice
You should always encrypt the user's passwords.
Validate the user inputs, if its a username at all.
To prevent username duplications add a unique key to the database, and handle mysql_errno() value 1062.
Use PDO if you know the basic methods only.
Never use addslashes() AND mysql_real_escape_string() on one input!
The best possible practice is PDO. Data doesn't need to be escaped, it supports (and promotes) prepared statements and it also makes queries look cleaner.
If you don't know much (or anything about PDO) - this is your opportunity to learn something new
Thanks very much djjjozsi !
Great blog by the way !
Thanks Jake !
Definitely I will tryout PDO