-1

Possible Duplicate:
Best way to prevent SQL Injection in PHP

php get var clear is it good or not plz help me

function Clear($text)
    $Var = str_replace("'", "", $text);
    $Var = str_replace('"', '', $Var);
    $Var = strip_tags($Var);
    $Var = htmlentities($Var);
    return $Var;
}
$_GET['Var'] = "1='1'";
$Var = Clear($_GET['Var']);
$Query = "SELECT * FROM TABLE_NAME WHERE COL ='{$Var}'";
echo 'Result : '.($Query);

it is for SQL injection, this is sample code i wrote iam using pdo. if i using mysql_real_escape_string it dose not working.

Community
  • 1
  • 1
SAGAR.G
  • 39
  • 6

2 Answers2

5

NO. NO. NO

That is not "safe" from attacks.

At a bare minimum use mysql_real_escape_string (which is designed for this). The first version, mysql_escape_string, was actually flawed which is why the "real" version exists.

However, I recommend placeholders as a more universal (and tidier) solution.

See How can I prevent SQL injection in PHP? (which I am voting to close as a dupe, as well). The answers cover PDO and prepared statements, among other things.

Community
  • 1
  • 1
  • @user1289782 there is no pdo in your sample code – Ibu Aug 02 '12 at 06:10
  • I looked at that post and marked this question as an exact duplicate as well, to help :-) Unfortunately, I have reached my voting cap for the day, so I can't upvote... – uınbɐɥs Aug 02 '12 at 08:05
2

Use prepared statements: http://php.net/manual/ru/pdo.prepared-statements.php

Danil Speransky
  • 29,891
  • 5
  • 68
  • 79