Avoiding SQL injection using mysql_real_escape_string and stripslashes
Question
Is this a good way to prevent SQL injection before running a database query?
$name = mysql_real_escape_string(stripslashes($name));
$age = mysql_real_escape_string(stripslashes($age));
$location = mysql_real_escape_string(stripslashes($location));
Thanks in advance!
1 answers
solution1
4 ACCPTED 2012-02-22 11:36:05
This answers it well:
- mysql_real_escape_string() versus Prepared Statements by Ilia Alshanetsky
So what can you do? The solution is to use prepared statements , which are supported by nearly all PHP database extensions with the notable exceptions of MySQL (ext/mysql) and SQLite2 (ext/sqlite). So, to be on the safe side, I'd recommend using the PDO interface to talks with those databases or in the case of MySQL using the newer MySQLi (ext/mysqli) extension. Those interfaces provide prepared statement support, which allows for separation between query structure and the query parameters.
So to be on safer side, don't rely on mysql_real_escape_string alone, using prepared statements is much better.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.