How to sanitize data in php in order to avoid SQL injection?
Question
I already used the PDO:
$stmt = $aPDO->prepare("INSERT INTO ".$this->getM_oUser()->getM_sTableName()." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");
$stmt->bindValue(':email', $this->getM_oUser()->getM_sEmail());
$stmt->bindValue(':hash_pw', $this->getM_oUser()->getM_sHash_pw());
$stmt->bindValue(':hash_key', $this->getM_oUser()->getM_sHash_Key());
$stmt->execute();
Should I also use mysql_real_escape_string() to handle the user input string? Thank you.
2 answers
solution1
1 2011-08-01 08:44:59
Using prepared statements with bound parameters is enough. You don't need to use mysql_real_escape_string (and you probably could not even if you wanted -- you 'd need a MySql connection resource in hand to do it).
solution2
0 2011-08-01 09:36:33
I'd do something like that to exclude a lot of useless characters from your table name:
$tableName = '`' . preg_replace('`[^-a-zA-Z0-9_]`', $this->getM_oUser()->getM_sTableName()).'`';
$stmt = $aPDO->prepare("INSERT INTO ".$tableName." (email, hash_pw, hash_key) VALUES (:email, :hash_pw, :hash_key)");
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Is FILTER_SANITIZE_STRING enough to avoid SQL injection and XSS attacks?
How to avoid “PHP injection”
How to avoid SQL injection and XSS attacks when in PHP?
Avoid SQL injection in registration form php
The safest way to avoid SQL injection in PHP?
How to validate and sanitize array of data in php?
how to avoid sql injection with sql constants
PHP Sanitize Data
How to avoid SQL Injection in SQL query with Like % Operator. only php mysql
How to validate integer values to avoid SQL injection?
Related Tags