PHP SQL injection and protection?

Question

Possible Duplicate:
How to prevent SQL injection?

This is my attempt at cleaning up what I will be putting into my database

$pictureID = $_REQUEST['pictureID'];
$userID = $_REQUEST['userID'];
$username = $_REQUEST['username'];

//Sanatize //Protext against injection

$username = filter_var($username, FILTER_SANITIZE_EMAIL);
$userID = filter_var($userID, FILTER_SANITIZE_STRING);
$pictureID = filter_var($pictureID, FILTER_SANITIZE_STRING);

$username = stripslashes($username);
$username = mysql_real_escape_string($username);

$userID = stripslashes($userID);
$userID = mysql_real_escape_string($userID);

$pictureID = stripslashes($pictureID);
$pictureID = mysql_real_escape_string($pictureID);

I have two questions, is the above enough?

Also, if I do echo $pictureID nothing appears, however, if I remove the $pictureID = mysql_real_escape_string($pictureID); then echo $pictureID works.

Is this the correct behavior?

[**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). — NullPoiиteя, Dec 20 '12 at 17:45
...possible duplicate? lol ...thinking maybe SO needs an auto reply for mysql_ / PDO questions? — ficuscr, Dec 20 '12 at 17:57

score 3 · Accepted Answer · edited May 25 '19 at 14:49

Wow...

You really do not need that much.

Try using PDO or mysqli with a prepared query, then all of that nonsense should not be needed.

See this canned comment for advice:

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

score 1 · Answer 2 · answered Dec 20 '12 at 17:58

1

To protect against SQL-injection, the only required call is this:

  $pictureID = mysql_real_escape_string( $pictureID );

This method-call effectively escapes all special characters, which could potentially change the intended operation of your query.

As @NullPointer pointed out, using PHP's PDO would be a good alternative, since mysql_* is deprecated as of PHP 5.5+. Nevertheless, I don't think it will get completely removed from PHP very soon.

answered Dec 20 '12 at 17:58

SteAp

11,853
10
53
88

1

mysql_real_escape_string doesn`t prevent sql attacks See this : http://stackoverflow.com/questions/9814642/can-mysql-real-escape-string-alone-prevent-all-kinds-of-sql-injection. If you read through you will find out there are number of ways to fool mysql_real_escape_string or mysqli_real_escape_string – User123456 Jul 14 '16 at 04:28

PHP SQL injection and protection?

2 Answers2