freelance84 Posted April 27, 2010 Share Posted April 27, 2010 OK, The book I am learning from offers two alternatives to safe user input for MySQL. First: function sanitizeString($var) { if (get_magic_quotes_gpc()) $string = stripslashes($string); return mysql_real_escape_string($_POST[$var]); } Second: Using Placeholders. As I am just starting out in PHP, would would an expert be kind enough to tell which is best. The book I'm learning from suggests that the latter is "virtually bulletproof" so would I be best using this one? Quote Link to comment Share on other sites More sharing options...
freelance84 Posted April 27, 2010 Author Share Posted April 27, 2010 or would it be best to use: function get_post($var) { return mysql_real_escape_string($_POST[$var]); } ... to get the POST items, then use placeholders to place them into the database? Quote Link to comment Share on other sites More sharing options...
Mchl Posted April 27, 2010 Share Posted April 27, 2010 What do you mean by placeholders? Quote Link to comment Share on other sites More sharing options...
freelance84 Posted April 27, 2010 Author Share Posted April 27, 2010 This is the example from the book: <?php require 'login.php'; $db_server = mysql_connect($db_hostname, $db_username, $db_password); if (!$db_server) die("Unable to connect to MySQL: " . mysql_error()); mysql_select_db($db_database) or die("Unable to select database: " . mysql_error()); $query = 'PREPARE statement FROM "INSERT INTO classics VALUES(?,?,?,?,?)"'; mysql_query($query); $query = 'SET @author = "Emily Brontë",' . '@title = "Wuthering Heights",' . '@category = "Classic Fiction",' . '@year = "1847",' . '@isbn = "9780553212587"'; mysql_query($query); $query = 'EXECUTE statement USING @author,@title,@category,@year,@isbn'; mysql_query($query); $query = 'DEALLOCATE PREPARE statement'; mysql_query($query); ?> Quote Link to comment Share on other sites More sharing options...
Mchl Posted April 27, 2010 Share Posted April 27, 2010 You mean prepared statements. They're indeed the most secure way, and if you use them properly, there's no need for escaping variables in the script (you still need to take care of magic_quotes, and other sanitising though). The best way to use prepared statement, is with ext/mysqli See mysqli_prepare Quote Link to comment Share on other sites More sharing options...
freelance84 Posted April 27, 2010 Author Share Posted April 27, 2010 ah ok, thanks i'll look at the mysqli_prepare Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.