Reputation: 2543
Should I escape the input parameters one by one or escape the sql query as a whole?
I am often escaping inputs one by one and I am wondering about the difference between two methods. Which one is a more common practice? I tried escaping the "escape requiring" fields first, then I end up writing long escaping code for each value. What are the disadvantages of escaping a whole sql sentence at once?
Upvotes: 2
Views: 609
Answers (6)
Reputation: 157839
A somewhat offtopic but I feel it's very important.
This is not the first your question on the matter. And it seems you still don't get the point.
are you sure mysql does not accept escaped sql strings?
I beg my pardon, but it seems this question being your main problem.
Instead of looking for understanding, instead of looking for explanation, you are just asking of some sort of positive answer.
The result of this question should be the answer you gave to yourself, based on your understanding of the matter.
Only in this case it will do any good for you.
Otherwise you will stumble on the very next step again.
Please, try to understand the meaning of escaping strings.
Your question makes absolutely no sense to anyone who has a very basic SQL knowledge.
Of course such whole query escaping will never work. Just because of the nature of the SQL query.
You desperately need to understand this nature.
Please, read some books.
Please, ask for explanations, not for some assurance.
Upvotes: 1
Reputation: 433
You are worried about long code for escaping each var but for some reason you forgot the purpose of a function.
function escape_me($value) {
$value = strip_tags($value);
$value = mysql_real_escape_string($value);
.........
}
$var1 = escape_me($_POST['var1']);
Hopefully that gets you pointed in the right direction.
Upvotes: -1
Reputation: 390
Escape each inputs one by one. If you will do this for the whole SQL query, you cannot be sure that SQL statement is still valid after escaping. Let's say instead of
aaa
user will type in
a", "a
so in the generated SQL you will receive
("a", "a")
instead of
("aaa")
I think that escaping whole SQL statement will not work in such situation.
Upvotes: 0
Reputation: 333
Use prepared statements and use bind parameters. Anything else is a hack waiting to happen
Upvotes: 0
Reputation: 758
It doesn't work because inside the query you are using things like ' single quotes to indicate values and you don't want those escaped, but you do want to escape the values that might contain single quotes.
Upvotes: 3
Reputation: 1039
I guess escaping the sql string is more advantageous using mysql_real_escape_string. In reference to time and memory. Some validations can be done at each input level if needed.
Upvotes: -1
Related Questions
- is it safe to not escape my input in sql
- How "parameterized queries/prepared statements" better in SQL injection than escaping user input
- PDO and Escaping Input: Is this the safest way?
- Do values coming directly from the database need to be escaped?
- Good practice escaping multiple strings
- What must be escaped in SQL?
- Should I sanitize inputs to a parametrized query?
- php sql injection escape string
- Escaping user input from database necessary?
- Best way to escape strings for sql inserts?