Home/ Questions/Q 8072825
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T14:09:08+00:00

In a login script I found onlline, the creator added this function to prevent

  • 0

In a login script I found onlline, the creator added this function to prevent SQL-injection attacks.

function Fix($str) {
    $str = trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

Since I read that magic_quotes_gpc is (or has been) removed, it feels like this function is a bit outdated. Wouldn’t just simply using mysqli_real_escape_string($user_input) add sufficient security?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    mysql_real_escape_string is not sufficient in all situations but it is definitely very good friend. The better solution is using Prepared Statements

    //example from http://php.net/manual/en/pdo.prepared-statements.php

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

    Also, not to forget HTMLPurifier that can be used to discard any invalid/suspicious characters.

    mysql_real_escape_string() versus Prepared Statements

    mysql_real_escape_string() prone to
    the same kind of issues affecting
    addslashes().

    Answer From Chris Shiflett (Security Expert)

    • 0