Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m just discovering PHPs sanitize and Validate filters, and I had been using MySQL’s mysql_escape_string to stop SQL Injection.
Now I discover that PHP can also help and I guess logically these procedures are not exclusive in their function: ie you can sanitize and validate in PHP and still arrive at a situation where escaping is necessary.
Am I right or am I overlooking something?
Nope, you’re totally right. Big font incoming for the casual readers that might somehow miss the point of your question.
Different types of output require different types of protection.
Nuke things that could be HTML, and you’ll be safer against XSS. Properly quote and escape your database input, and you’ll be safer against SQL Injection. Watch for unexpected input everywhere and you will increase the safety of your code.
It is a wonderful thing that you now fully realize this. Too many people don’t.
These are nice, aren’t they? They’re a good part of modern PHP. Use them religiously and they will not fail you. Except for the email one, it fails a large number of edge-ish cases; I prefer is_email.
This is … not a good part of modern PHP. I also hope you’re using the escape string function with the word "real" in it, otherwise you may be in trouble.
I think you are ready for the next step: Learn PDO. It has prepared statements and query placeholders, which will provide you free and complete protection against SQL Injection, when you use it properly. PDO is available anywhere that modern PHP versions are available. It’s built right in. Use it, learn it, love it. Or else you are doomed. Doomed!