I am using FILTER_SANITIZE_SPECIAL_CHARS in my php code to sanitize the inputs.
Do i really need to user mysql_escape_string? Can i prevent sql injection and other attacks from filter functions only?
Asked
Active
Viewed 894 times
-1
-
Is there any particular reason you don't want to use standard techniques to sanitize input? – JJJ Jul 22 '12 at 06:48
1 Answers
3
Don't use FILTER_SANITIZE_SPECIAL_CHARS and mysql_escape_string. Use PDO. With prepared statements you don't need to escape inputs manually.
Rafael Sedrakyan
- 2,541
- 10
- 34
- 42
-
Oh..Okay,but for now will the filter function solve the purpose because a lot of code is wriiten without PDO. – Pratik M Jul 22 '12 at 07:03
-
For that case use mysql_real_escape_string. But you need to be very careful with this. Here is some material about SQL injection: http://webappsec.org/projects/articles/091007.txt . – Rafael Sedrakyan Jul 22 '12 at 07:07
-
-
1Yes. It does not escape characters needed to be escaped to avoid sql injection. – Rafael Sedrakyan Jul 22 '12 at 07:12
-
Just one last query.Thanks for you time and efforts. If i do print an apostrophe using filter sanitize special chars , it prints out ' in the browser source . So does that also mean it can sanitize it and won't create any problem if escape string is not used. It does not print an apostrophe right away but prints ' – Pratik M Jul 22 '12 at 07:17
-
It may do the work... But I would recommend you to use mysql_real_escape_string as it is created specially for that purpose. And if you want to sanitize html input, use htmlspecialchars. – Rafael Sedrakyan Jul 22 '12 at 07:43