Should I use PDO to sanitize my Sql queries or is “mysql_real_escape_string” enough?
Question
I have a simple classifieds website...
Classifieds are inserted into MySql tables and the only thing I use to sanitize user input is mysql_real_escape_string .
Is this enough?
The PDO is the best way offcourse, but what IS actually the difference between using only mysql_real_escape_string and PDO, in lets say this query:
SELECT * FROM table_name WHERE table_name.classified = '$classified';
OR
INSERT INTO table_name (input1, input2) VALUES ('$input1', $input2);
Thanks
2 answers
solution1
3 ACCPTED 2010-11-08 00:06:35
There is some pretty thorough info in this previous question: Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?
Basically, mysql_real_escape_string() gets the job done unless you want to rework (and possibly simplify) all your database interactions.
solution2
2 2010-11-08 00:02:10
I think mysql_real_escape_string is enough for storing in the database and warding against any sql injection attack. But other validation is a good idea to have just so that your dataset is more regular and less prone to contain junk.
For presenting any of this data, filtering (ala Drupal style etc. ) It's a good idea too.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.