0

I have a somewhat general question. I am making a read/post news-kind of site/cms and I am not sure how I should go about escaping the data to be saved in the sql tables. Should I just call add slashes before insert and strip slashes after select or is there something else I am missing. Thanks in advance!

Dave S.
  • 6,349
  • 31
  • 33
luleksde
  • 97
  • 1
  • 10

2 Answers2

1

What you need to do is to learn about PDO or MySQLi. These were constructed so that injection would cease to be a problem. They're a bit more work than PHP's regular MySQL functions, but those are due to be removed in future versions in PHP, and should really not be encouraged.

The top-voted PHP question on StackOverflow actually concerns exactly this. It's available here, and the accepted solution described exactly what you need to learn.

Good luck!

Community
  • 1
  • 1
Joel Hinz
  • 24,719
  • 6
  • 62
  • 75
0

Used PDO instead; http://www.php.net/manual/en/book.pdo.php

If you're using PDO you dont need to escape every time you insert into database. PDO have a 'escaping' features.

Read the documentation, will help you with this.

Read this as well, it will help you understand the PDO features etc... http://marco-pivetta.com/doctrine2-orm-tutorial/#1

Philip F
  • 86
  • 8