Tattat
Reputation: 15778
How to sanitize data in php in order to avoid SQL injection?
I already used the PDO:
$stmt = $aPDO->prepare("INSERT INTO ".$this->getM_oUser()->getM_sTableName()." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");
$stmt->bindValue(':email', $this->getM_oUser()->getM_sEmail());
$stmt->bindValue(':hash_pw', $this->getM_oUser()->getM_sHash_pw());
$stmt->bindValue(':hash_key', $this->getM_oUser()->getM_sHash_Key());
$stmt->execute();
Should I also use mysql_real_escape_string() to handle the user input string? Thank you.
Upvotes: 0
Views: 196
Answers (2)
Arkh
Reputation: 8459
I'd do something like that to exclude a lot of useless characters from your table name:
$tableName = '`' . preg_replace('`[^-a-zA-Z0-9_]`', $this->getM_oUser()->getM_sTableName()).'`';
$stmt = $aPDO->prepare("INSERT INTO ".$tableName." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");
Upvotes: 0
Jon
Reputation: 437326
Using prepared statements with bound parameters is enough. You don't need to use mysql_real_escape_string (and you probably could not even if you wanted -- you 'd need a MySql connection resource in hand to do it).
Upvotes: 1
Related Questions
- How can I sanitize user input with PHP?
- A better SQL string sanitization function
- Effective protection function against SQL injection
- How to cleanse a string to avoid SQL Injection and the most common types of attack? (in PHP)
- Protect against SQL injection
- The safest way to avoid SQL injection in PHP?
- How to protect this code from sql injection?
- Please help me to sanitize php data goint to mysql
- PHP function to sanitize all data
- Sanitize user input destined for database in PHP