-3

Possible Duplicate:
Best way to prevent SQL injection in PHP?

I have seen mysql_real_escape_string and strip slashes being used in preventing MySQL injections. Or would I need more and place this all into function, then use the function to prevent injection?

$query = ("SELECT * FROM `users` WHERE `fname` REGEXP '%s' AND `lname` REGEXP '%s' LIMIT  
%d", 
mysql_real_escape_string($fname), 
mysql_real_escape_string($lname),
(int)$RowsLimit);

Or would it be better to do something like this? mysql_real_escape_string(stripslahses($fname)),

Community
  • 1
  • 1
Jordan Smith
  • 21
  • 3
  • 1
    http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php, among many others – ultranaut Oct 06 '12 at 02:08
  • 1
    [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Oct 06 '12 at 02:23

2 Answers2

0

You should be using a prepared query solution instead of string formatting.

Are Paramerterized queries necessary in pdo?

prepared queries with pdo

Preventing sql injection in php

Community
  • 1
  • 1
Johnathon Malizia
  • 136
  • 1
  • 4
0

Avoid using mysql_ functions as they are being deprecated. Look into mysqli_ or PDO. Both of which are prepared statements and are both faster and more secure when used effectively.

Also, prepared statements do not need to be escaped. This is explained in a previous answer:

Why is using a mysql prepared statement more secure than using the common escape functions?

PHP.net on preparing a mysqli_ statement

Community
  • 1
  • 1
anditpainsme
  • 601
  • 1
  • 7
  • 14
  • Thanks, I did not know mysql_functions are being deprecated. I thought I would need to apply several strings to help prevent injection. I will look more into PDO (never head of this before far-less what it stands for). Thank you for your answer. – Jordan Smith Oct 06 '12 at 21:28