Home/ Questions/Q 663841
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T23:32:01+00:00

Is mysql_real_escape_string sufficient for cleaning user input in most situations? ::EDIT:: I’m thinking mostly

  • 0

Is mysql_real_escape_string sufficient for cleaning user input in most situations?

::EDIT::

I’m thinking mostly in terms of preventing SQL injection but I ultimately want to know if I can trust user data after I apply mysql_real_escape_string or if I should take extra measures to clean the data before I pass it around the application and databases.

I see where cleaning for HTML chars is important but I wouldn’t consider it necessary for trusting user input.

T

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    mysql_real_escape_string is not sufficient in all situations but it is definitely very good friend. The better solution is using Prepared Statements

    //example from http://php.net/manual/en/pdo.prepared-statements.php

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

    Also, not to forget HTMLPurifier that can be used to discard any invalid/suspicious characters.

    ………..

    Edit:
    Based on the comments below, I need to post this link (I should have done before sorry for creating confusion)

    mysql_real_escape_string() versus Prepared Statements

    Quoting:

    mysql_real_escape_string() prone to
    the same kind of issues affecting
    addslashes().

    Chris Shiflett (Security Expert)

    • 0