I had been using only mysql_real_escape_string to clean my form input data before inserting into a mysql table.
Recently I came across PHP’s internal filter / validation functions, and I want to use them.
So my question is this:
If I use FILTER_SANITIZE_STRING & FILTER_SANITIZE_EMAIL to cleanup form input data do I have to then run it through mysql_real_escape_string before inserting into my database?
Wow! I really appreciate you guy’s recommendation of PDO. However implementing an abstraction layer is way beyond what I’m trying to do. I should have been more clear.
I’ve got a pretty simple form with a few fields, that gets stored in a DB upon submit, then emails me the info as well.
I was using mysql_real_escape_string to escape the data before inserting into the db, and I wanted to use FILTER_SANITIZE_EMAIL to prevent injection attacks.
Thus my question:
If I use FILTER_SANITIZE_STRING & FILTER_SANITIZE_EMAIL to cleanup form input data do I have to then run it through mysql_real_escape_string before inserting into my database?