Been developing an application using PHP’s PEAR framework, but ran into an issue where I am double-escaping/quoting input and it wasn’t letting newlines (\n) show up properly. Searching forums came up with a mix of answers, but was wondering if anyone has advice for whether using PEAR’s escape() or quote() functions is enough for SQL injection security, or should I stick with using mysql_real_escape_string()? I’m trying to use nl2br() + htmlspecialchars() to spit out the content afterwards, and originally incorrectly used the following to escape input:
$db->quote(mysql_real_escape_string(trim($_POST['text'])));
Use the escaping function of your database driver. If you’re using a PEAR package to connect to the database, use its escaping function. If you’re using the raw
mysqlfunctions, usemysql_real_escape_string. Don’t use more than one (as you have figured out).Better yet, go with the times and use modern prepared statements, for example PHP’s PDO class.