php 5 protect input from sql injection

[Dizel]

i just want to ask you guys if this works 100% from SQL injection?

$name = filter_var($_POST['login'], FILTER_SANITIZE_STRING);

$pass = filter_var($_POST['pass'],FILTER_SANITIZE_STRING);

[Pikachu2000]

If you're using MySQL, then you have mysql_real_escape_string and mysqli_real_escape_string available for escaping string data.

[scootstah]

i just want to ask you guys if this works 100% from SQL injection?

$name = filter_var($_POST['login'], FILTER_SANITIZE_STRING);

$pass = filter_var($_POST['pass'],FILTER_SANITIZE_STRING);

 

No. That doesn't even sort-of prevent SQL injection. What you need to be doing is escaping the string (see Pikachu's response above) or using prepared statements (with the MySQLi or PDO drivers).

[xyph]

If you're using MySQL, then you have mysql_real_escape_string and mysqli_real_escape_string available for escaping string data.

 

This is the CORRECT way, because it takes MySQL's character encoding settings into effect when escaping.

 

Using a specific-to-engine solution will generally give you the best results.

[Dizel]

well you right but i mostly use this when i work with PDO,  earlier in my projects i wrote the whole function to remove all characters and stuff like that

[scootstah]

That's not going to prevent SQL injection with PDO either. PDO has its own escape method ($PDO->quote()) if you aren't using prepared statements.