Dizel Posted June 26, 2012 Share Posted June 26, 2012 i just want to ask you guys if this works 100% from SQL injection? $name = filter_var($_POST['login'], FILTER_SANITIZE_STRING); $pass = filter_var($_POST['pass'],FILTER_SANITIZE_STRING); Quote Link to comment https://forums.phpfreaks.com/topic/264840-php-5-protect-input-from-sql-injection/ Share on other sites More sharing options...
Pikachu2000 Posted June 26, 2012 Share Posted June 26, 2012 If you're using MySQL, then you have mysql_real_escape_string and mysqli_real_escape_string available for escaping string data. Quote Link to comment https://forums.phpfreaks.com/topic/264840-php-5-protect-input-from-sql-injection/#findComment-1357266 Share on other sites More sharing options...
scootstah Posted June 27, 2012 Share Posted June 27, 2012 i just want to ask you guys if this works 100% from SQL injection? $name = filter_var($_POST['login'], FILTER_SANITIZE_STRING); $pass = filter_var($_POST['pass'],FILTER_SANITIZE_STRING); No. That doesn't even sort-of prevent SQL injection. What you need to be doing is escaping the string (see Pikachu's response above) or using prepared statements (with the MySQLi or PDO drivers). Quote Link to comment https://forums.phpfreaks.com/topic/264840-php-5-protect-input-from-sql-injection/#findComment-1357276 Share on other sites More sharing options...
xyph Posted June 27, 2012 Share Posted June 27, 2012 If you're using MySQL, then you have mysql_real_escape_string and mysqli_real_escape_string available for escaping string data. This is the CORRECT way, because it takes MySQL's character encoding settings into effect when escaping. Using a specific-to-engine solution will generally give you the best results. Quote Link to comment https://forums.phpfreaks.com/topic/264840-php-5-protect-input-from-sql-injection/#findComment-1357277 Share on other sites More sharing options...
Dizel Posted June 27, 2012 Author Share Posted June 27, 2012 well you right but i mostly use this when i work with PDO, earlier in my projects i wrote the whole function to remove all characters and stuff like that Quote Link to comment https://forums.phpfreaks.com/topic/264840-php-5-protect-input-from-sql-injection/#findComment-1357297 Share on other sites More sharing options...
scootstah Posted June 27, 2012 Share Posted June 27, 2012 That's not going to prevent SQL injection with PDO either. PDO has its own escape method ($PDO->quote()) if you aren't using prepared statements. Quote Link to comment https://forums.phpfreaks.com/topic/264840-php-5-protect-input-from-sql-injection/#findComment-1357298 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.