I have a simple classifieds website...
Classifieds are inserted into MySql tables and the only thing I use to sanitize user input is mysql_real_escape_string
.
Is this enough?
The PDO is the best way offcourse, but what IS actually the difference between using only mysql_real_escape_string
and PDO, in lets say this query:
SELECT * FROM table_name WHERE table_name.classified = '$classified';
OR
INSERT INTO table_name (input1, input2) VALUES ('$input1', $input2);
Thanks
There is some pretty thorough info in this previous question: Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?
Basically, mysql_real_escape_string()
gets the job done unless you want to rework (and possibly simplify) all your database interactions.
I think mysql_real_escape_string
is enough for storing in the database and warding against any sql injection attack. But other validation is a good idea to have just so that your dataset is more regular and less prone to contain junk.
For presenting any of this data, filtering (ala Drupal style etc. ) It's a good idea too.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.