cleaning user inout before storing it into db

[stribor40]

Once I collect user input from my form I have to insert it into database. What is proper way of cleaning the data before insertion into db.

Does it have to be done both client and server side?

What kind of function have to be applied to each iput?

All my inputs are basically dates,numbers and message boxes. I noticed that when I try to isert that contains single quote i receive error from ms sql server. Obsviosly I would have to replace single quotes. How do i replace them and how do i add single qoute when i retrieve record from database.

[AbraCadaver]

Use PDO and prepared statements.  You probably should check your data to make sure its the proper type (int, date, etc) but prepared statements will escape your data and make sure things like single quote/apostrophe are escaped correctly and that escaping will also escape out things in a SQL injection attempt.

[stribor40]

i already wrote some code using odbc. can i still keep that and use odbc functions to clean the input

[web_craftsman]

to clean number you just need to do like that:

$x = (int) $_POST['somenumber'];

to work with string type try to use addslashes function (though i am not familiar with odbc driver. You just try).

how do i add single qoute when i retrieve record from database

 

you would not need to.

[AbraCadaver]

I also am not sure how ODBC handles data, but you should probably look at the ODBC driver for PDO as it may have escaping built-in.  I do know that for MS SQL that to escape a single quote ' you just add an additional single quote '' (two single quotes), so a query would look like:

SELECT * FROM table_name WHERE lastname = 'O''reilly'

There are other characters that may need to be escaped and that would depend on the database being used and if the ODBC driver changes the requirements.