TalkPHP - Sanitizing Strings for MySQL?

TalkPHP (http://www.talkphp.com/forums.php)

- General (http://www.talkphp.com/general/)

- - Sanitizing Strings for MySQL? (http://www.talkphp.com/general/3491-sanitizing-strings-mysql.html)

Stealth

10-17-2008 05:52 PM

Sanitizing Strings for MySQL?

Could you use addslashes and mysql_real_escape_string together to sanitize user input?
Example:

Code:

<?php 

$q = addslashes(trim(mysql_real_escape_string($_POST['input'])));

$insert = "INSERT INTO table1 (input) VALUES ('$q')") or die(mysql_error());

?>

Would it clean up the string to protect against SQL Injections?

Thanks. :-)

Tanax

10-17-2008 05:54 PM

I would only use mysql_real_escape_string. It works to clean up against SQL injections.

Stealth

10-17-2008 06:01 PM

So I would do it like this?
Example:

Code:

<?php

$q = mysql_real_escape_string(trim($_POST['input']));

?>

Thanks.

Tanax

10-17-2008 06:11 PM

Indeed, that would be secure

Stealth

10-17-2008 06:25 PM

Okay, thanks!

Wildhoney

10-17-2008 10:43 PM

Yep. Don't use 2 similar functions with one another, sometimes it may have disastrous consequences.

All times are GMT. The time now is 01:03 PM.