Reputation: 1513
Best way to escape strings for sql inserts?
What is the best way to escape strings for sql inserts, updates?
I want to allow special characters including ' and ". Is the best way to search and replace each string before I use it in an insert statement?
Thanks
Duplicate of: Best way to defend against mysql injection and cross site scripting
Upvotes: 5
Views: 8030
Answers (2)
Reputation: 20184
You should be using parameterized queries (so by extension, a DB interface library that supports parameterized queries) so that SQL injection can't happen.
Upvotes: 5
Reputation: 124365
If you're talking about data values for your fields, then the best way is to use mysql_real_escape_string(). (Some people like mysqli; can't say I do.) If you're talking about allowing user-submitted queries... well, let's hope you're not talking about that.
Upvotes: 4
Related Questions
- Escape strings/ inserting in php script
- Escaping characters before insert into database
- Correct usage of Mysql real escape strings
- Which characters can I safely insert into an SQL database without escaping?
- Escaping for insert to MySql
- Bypassing mysql_real_escape_string's protection
- Escaping a string being inserted into Mysql
- Where to escape the string to prevent mysql injection?
- Escaping user input from database necessary?
- mysql insert escape