magic quotes or placeholders?

[freelance84]

OK,

 

The book I am learning from offers two alternatives to safe user input for MySQL.

 

First:

function sanitizeString($var)
{
if (get_magic_quotes_gpc()) $string = stripslashes($string);
return mysql_real_escape_string($_POST[$var]);
}

 

Second:

Using Placeholders.

 

 

As I am just starting out in PHP, would would an expert be kind enough to tell which is best. The book I'm learning from suggests that the latter is "virtually bulletproof" so would I be best using this one?

 

 

[freelance84]

or would it be best to use:

function get_post($var)
{
return mysql_real_escape_string($_POST[$var]);
}

... to get the POST items, then use placeholders to place them into the database?

[Mchl]

What do you mean by placeholders?

[freelance84]

This is the example from the book:

<?php
require 'login.php';

$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($db_database)
or die("Unable to select database: " . mysql_error());

$query = 'PREPARE statement FROM "INSERT INTO classics
VALUES(?,?,?,?,?)"';
mysql_query($query);

$query = 'SET @author = "Emily Brontë",' .
	 '@title = "Wuthering Heights",' .
	 '@category = "Classic Fiction",' .
	 '@year = "1847",' .
	 '@isbn = "9780553212587"';
mysql_query($query);

$query = 'EXECUTE statement USING @author,@title,@category,@year,@isbn';
mysql_query($query);

$query = 'DEALLOCATE PREPARE statement';
mysql_query($query);
?>

[Mchl]

You mean prepared statements. They're indeed the most secure way, and if you use them properly, there's no need for escaping variables in the script (you still need to take care of magic_quotes, and other sanitising though).

 

The best way to use prepared statement, is with ext/mysqli

See mysqli_prepare

[freelance84]

ah ok, thanks i'll look at the mysqli_prepare