Hi All,
I had been using only mysql_real_escape_string to clean my form input data before inserting into a mysql table.
Recently I came across PHP’s internal filter / validation functions, and I want to use them.
So my question is this:
If I use FILTER_SANITIZE_STRING & FILTER_SANITIZE_EMAIL to cleanup form input data do I have to then run it through mysql_real_escape_string before inserting into my database?
Thanks in advance,
Robert
If you do not have so much code in your project that you’re committed simply use PDO. It’s a lot less of a hassle.
I’d second the use of PDO.
If you’re not sure of the benefits, here’s a quick (imperfect) overview of the standard mysql library:
Any unescaped data, as I’m sure you’re aware, can corrupt the query and cause all kinds of problems.
In PDO, however, it works a little something like (again, imperfect example to simplify):
Wow! I really appreciate you guy’s recommendation of PDO. However implementing an abstraction layer is way beyond what I’m trying to do. I should have been more clear.
I’ve got a pretty simple form with a few fields, that gets stored in a DB upon submit, then emails me the info as well.
I was using mysql_real_escape_string to escape the data before inserting into the db, and I wanted to use FILTER_SANITIZE_EMAIL to prevent injection attacks.
Thus my question:
If I use FILTER_SANITIZE_STRING & FILTER_SANITIZE_EMAIL to cleanup form input data do I have to then run it through mysql_real_escape_string before inserting into my database?
Yes.
thankx
Just be warned that function is glitchy and doesn’t always work.
That has never been actually proven has it? Not saying you’re wrong but rather thinking out loud here 