php automatic string escape on post
Question
I'm building a neat website for my friend, and I noticed that the site escaped the input from textboxes, textareas, etc. automatically.
Does this mean that I don't have to add mysql_real_escape_string when I want to insert the data in my mysql database and I can just leave it as it is?
Or is this a potential security risk?
2 answers
solution1
1 2013-06-15 23:54:23
As commentors will point out, the mysql() api is not the preferred. Use MySQLi - and use prepared statements. The beauty of this is - no matter what you insert - it can't alter the original SQL (the altering of SQL without the programmer's knowledge is the real security issue).
In addition, having escaped input on all posts can be irritating in general. I generally turn this off by using disabling the gpc_magic_quotes directive in php.ini or using stripslashes if gpc_magic_quotes is on. But, that's my personal preference.
So, please please please try to upgrade the code to MySQLi syntax. If its absolutely impossible, use stripslashes and then use mysql_real_escape_string (which will take into account the language encoding you use...)
solution2
1 ACCPTED 2013-06-15 23:54:46
It does not really matter where the escaping took place, be it, when the form was being posted, or when the actual query to database was being made. mysql_* functions is in the process of being deprecated, and should no longer be in operation.
If you want neat, secure website. Learn to use either the mysql_i ( i is for "improved") or better yet, the database agnostic interface called PDO interface. Both, will give you the neatness you need, and additional security boost.
You can get a tutorial for PDO here
and for Mysqli here
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.