phppup Posted March 30, 2018 Share Posted March 30, 2018 I'm starting of with a simple form to gather information and then store it in a database. While researching methods and techniques I discovered this: $firstname = mysql_real_escape_string($_POST['firstname']); $lastname = mysql_real_escape_string($_POST['lastname']); $email = mysql_real_escape_string($_POST['email']); Is it necessary to run mysql_real_escape_string for every item? Is there a more effective/efficient manner to handle this? Is there a better approach from a security standpoint? Please educate me. Quote Link to comment Share on other sites More sharing options...
Barand Posted March 30, 2018 Share Posted March 30, 2018 Yes - use prepared statements with parameters passed to the query. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted March 30, 2018 Share Posted March 30, 2018 Read up on the use of the MySQL* functions. They are no longer supported and you are using very outdated information to begin your project. My suggestion - read up on the PDO extension (or the mysqlI one if you have to) and learn how prepared statements are the MUCH better way to structure your queries. From the sound of your post you need to do a lot of reading to teach yourself how to program and how to write queries and how to handle user inputs. Good luck! Quote Link to comment Share on other sites More sharing options...
.thumb.jpeg.5da54518df0b69c737e8dabbcace30bb.jpeg)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.