sanitise pdo query()

[purencool]

Hi phpfreaks

 

I have created this method that is using pdo and the pdo query() method my question is I would usual use mysql_real_escape_string but I am not sure if I should or not.

 

The information is saying that if I use prepare I don't and is I use query I do have to santise. Any information

would be greatly appreciated.

 

    private function queryPDO($query) {
         
        try {
        echo "QueryPDO<br>";
            $this->dataObj->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $stmt = $this->dataObj->query($query);
            $result = $stmt->fetch(PDO::FETCH_OBJ);
             print_r($result);

        } catch (PDOException $e) {

            $e->getMessage();
        }
        return $result;
    }

[QuickOldCar]

can just build your own sanitize if want

I removed a few characters you may want, I don't even remember what they were, but you get the idea

 

function anti_injection($sql) {
                $sql = preg_replace(sql_regcase("/(127.0.0.1|drop table|show tables|\'|'\| |;|\|'|<|>|\*|--|\\\\)/"), "" ,$sql);

                $sql = trim($sql);
                $sql = strip_tags($sql);
                $sql = (get_magic_quotes_gpc()) ? $sql : addslashes($sql);
                return $sql;
            }

[purencool]

thanks very much for the function

[QuickOldCar]

But there is already functions

 

PDO::quote()

http://docs.php.net/manual/en/pdo.quote.php

 

Returns a quoted string that is theoretically safe to pass into an SQL statement. Returns FALSE if the driver does not support quoting in this way.

 

Bit the preferred method is this but takes more work.

http://docs.php.net/manual/en/pdo.prepare.php

 

I often wondered why they don't make databases default to not accept bad characters, if anything make an "accept this bad character function" ha ha