Jump to content

How good or bad is the SQL filtering?


anderson_catchme
 Share

Recommended Posts

I have a SQL statement which is difficult to use PDO on, it might not even be possible to do.

So I'm filtering it like this:

$search = $_GET['search'];
$search = preg_replace("/[^A-Za-z0-9]/", " ", $search);
$search = $mysqli->real_escape_string($search);

Will this result in an acceptable level of security?

Edited by anderson_catchme
Link to comment
Share on other sites

None of this is a valid reason for giving up a robust solution in favor of some homegrown “filtering” stuff.

 

In fact, this makes absolutely no sense whatsoever. Where are the quotes? Why on earth would you replace non-alphanumerics with spaces? What is the mysqli_real_escape_string() supposed to do when you've already removed all of its target characters?

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.