Basic MySQL/PHP Filtering

Question

I know this is a very basic question, thats why I just want a simple answer please, there is several ways to my user input safe for mysql.

Is using this the BEST method

mysql_real_escape_string()

On all user submitted items going into a mysql query?

If I use the above, do I need to use another function on that date when I get it back from mysql to show on a PHP page?

Answer 1

Using prepared statements is the best way to put data into MySQL. Prepared statements explicitly tells MySQL what is SQL and what is data, so MySQL won’t execute any SQL in the data.

You can get started with prepared statements with Mysqli.

As for showing the data in your PHP pages, you can use htmlspecialchars() to escape your output.

Answer 2

PHP has a very good filter Function

http://php.net/manual/de/ref.filter.php

/*** use a callback filter to mysql_real_escape_string ***/
$answer = filter_input(INPUT_POST, "answer", FILTER_CALLBACK, array("options"=>"mysql_real_escape_string"));

/*** create an sql query ***/
$sql = "INSERT INTO quiz (answers) VALUES ('{$answer}')";

/*** echo the query ***/
echo $sql;

Answer 3

escape input, filter output.

• You should use mysql_real_escape_string() or prepared statements going into the db.
• You should use htmlentities() on any data generated by an end user when displaying on a page.

Please note that htmlentities will not handle every possible cross-site scripting attack depending on the user's browser and the particular attack vector they used. Many individuals use a sanitization library like HTML Purifier to cleanse their data prior to displaying it on a page.