How to safely escape the input data in php for mysql

Question

Which means, at the moment, are the safest for screening data in php to send them to the mysql database.

Thank, you )

In addition to the answers below, it's worth reading http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php — eggyal, Apr 30 '12 at 07:37

Mihai Iorga · Accepted Answer · 2016-01-12T17:17:34.263

16

I believe ~~mysql_real_escape_string()~~ mysqli_real_escape_string() is the best way to escape input data

Later edit since everything is deprecated now and information must be valid:

Try to use PDO as prepared statements are much safer or mysqli_*() functions if you really need to keep old code somewhat up-to-date.

edited Jan 12 '16 at 17:17

answered Apr 30 '12 at 07:32

Mihai Iorga

38,217
14
107
106

10

I would argue passing your strings as parameters to prepared statements is safer. – eggyal Apr 30 '12 at 07:38
I also currently use it to them – frops Apr 30 '12 at 07:40

score 4 · Answer 2 · answered Apr 30 '12 at 08:27

Currently the most preferred way to insure your safety is prepared statements.

example:

$preparedStatement = $db->prepare('SELECT * FROM memebers WHERE username = :username');

$preparedStatement->execute(array(':username' => $username));

$rows = $preparedStatement->fetchAll();

then when displaying your data use htmlspecialchars()

score 3 · Answer 3 · answered Apr 30 '12 at 08:02

validMySQL($var) {
$var=stripslashes($var);
$var=htmlentities($var);
$var=strip_tags($var);
$var=mysql_real_escape_string($var);
return $var
}

The above code helps to sanitize most invalid data, just remember that you've to be connected to mysql database for mysql_real_escape_string to work...

How to safely escape the input data in php for mysql

3 Answers3

Linked