Home/ Questions/Q 9015391
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T03:44:22+00:00

Possible Duplicate: How to prevent SQL injection? This is my attempt at cleaning up

  • 0

Possible Duplicate:
How to prevent SQL injection?

This is my attempt at cleaning up what I will be putting into my database

$pictureID = $_REQUEST['pictureID'];
$userID = $_REQUEST['userID'];
$username = $_REQUEST['username'];

//Sanatize //Protext against injection

$username = filter_var($username, FILTER_SANITIZE_EMAIL);
$userID = filter_var($userID, FILTER_SANITIZE_STRING);
$pictureID = filter_var($pictureID, FILTER_SANITIZE_STRING);

$username = stripslashes($username);
$username = mysql_real_escape_string($username);

$userID = stripslashes($userID);
$userID = mysql_real_escape_string($userID);

$pictureID = stripslashes($pictureID);
$pictureID = mysql_real_escape_string($pictureID);

I have two questions, is the above enough?

Also, if I do echo $pictureID nothing appears, however, if I remove the $pictureID = mysql_real_escape_string($pictureID); then echo $pictureID works.

Is this the correct behavior?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Wow…

    You really do not need that much.

    Try using PDO or mysqli with a prepared query, then all of that nonsense should not be needed.

    See this canned comment for advice:

    Please, don’t use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLithis article will help you decide which. If you choose PDO, here is a good tutorial.

    • 0