stribor40 Posted July 10, 2013 Share Posted July 10, 2013 Once I collect user input from my form I have to insert it into database. What is proper way of cleaning the data before insertion into db. Does it have to be done both client and server side? What kind of function have to be applied to each iput? All my inputs are basically dates,numbers and message boxes. I noticed that when I try to isert that contains single quote i receive error from ms sql server. Obsviosly I would have to replace single quotes. How do i replace them and how do i add single qoute when i retrieve record from database. Quote Link to comment https://forums.phpfreaks.com/topic/280014-cleaning-user-inout-before-storing-it-into-db/ Share on other sites More sharing options...
AbraCadaver Posted July 10, 2013 Share Posted July 10, 2013 Use PDO and prepared statements. You probably should check your data to make sure its the proper type (int, date, etc) but prepared statements will escape your data and make sure things like single quote/apostrophe are escaped correctly and that escaping will also escape out things in a SQL injection attempt. Quote Link to comment https://forums.phpfreaks.com/topic/280014-cleaning-user-inout-before-storing-it-into-db/#findComment-1440106 Share on other sites More sharing options...
stribor40 Posted July 10, 2013 Author Share Posted July 10, 2013 i already wrote some code using odbc. can i still keep that and use odbc functions to clean the input Quote Link to comment https://forums.phpfreaks.com/topic/280014-cleaning-user-inout-before-storing-it-into-db/#findComment-1440112 Share on other sites More sharing options...
web_craftsman Posted July 11, 2013 Share Posted July 11, 2013 to clean number you just need to do like that: $x = (int) $_POST['somenumber']; to work with string type try to use addslashes function (though i am not familiar with odbc driver. You just try). how do i add single qoute when i retrieve record from database you would not need to. Quote Link to comment https://forums.phpfreaks.com/topic/280014-cleaning-user-inout-before-storing-it-into-db/#findComment-1440275 Share on other sites More sharing options...
AbraCadaver Posted July 11, 2013 Share Posted July 11, 2013 I also am not sure how ODBC handles data, but you should probably look at the ODBC driver for PDO as it may have escaping built-in. I do know that for MS SQL that to escape a single quote ' you just add an additional single quote '' (two single quotes), so a query would look like: SELECT * FROM table_name WHERE lastname = 'O''reilly' There are other characters that may need to be escaped and that would depend on the database being used and if the ODBC driver changes the requirements. Quote Link to comment https://forums.phpfreaks.com/topic/280014-cleaning-user-inout-before-storing-it-into-db/#findComment-1440312 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.