help: secure input

[delickate]

Hi,

I'm inserting data into database. which is going fine. but i want to make sure how to insert secure data into database to avoid sql injection.

what function should i use to insert secure data into database. can any one guide me please???

Thanks

[darkfreaks]

you can use mysql_real_escape_string or PDO i would go with PDO it is more secure in my opinion.

[delickate]

thanks for the reply,

what is PDO? can u give me an example of that?

e.g:

if we code for mysql_real_escape_string()  like this

echo "insert into table(feidlname) values('".mysql_real_escape_string($value) ."')";

 

how would we do code for PDO?

like this

echo "insert into table(feidlname) values('".PDO($value) ."')";

 

please guide

thanks

[darkfreaks]

http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html#4.3

[delickate]

Thanks alot.

you are really helpful.

Thanks again

[cyberRobot]

You'll also want to validate / sanitize the data, if you haven't done so already. For example, if a field is supposed to be a number, you could check by using something like ctype_digit():

 

<?php
if( ctype_digit( (string) $numToTest) ) {
     print "Number; continue processing";
} else {
     print "Not a number; flag error";
}
?>

 

 

If selecting one of several radio buttons in a form, make sure the value corresponds with one of the options.

 

If the value isn't supposed to contain HTML / PHP tags, you could run strip_tags() to remove them.

http://php.net/manual/en/function.strip-tags.php