Prevent sql injection on datetime string input

Question

I'm receiving from a JS script an string that should be formatted according to the datetime format so like: 2013-07-29 00:00:00.

Of course I need to sanitize that input before putting it in a raw MySQL query. What will be the best way to sanitize that format on php?

You **don't** need to **sanitize**, you need to **escape**. Or use preparred statements. — Arnaud Le Blanc, Aug 05 '13 at 08:55
[How to prevent SQL injection in PHP](http://stackoverflow.com/q/60174/112968) — knittl, Aug 05 '13 at 09:00

score 3 · Accepted Answer · edited May 23 '17 at 12:05

3

The "best" would be to use prepared statements and let the DB adapter escape special chars in the values for you.

Whatever is your flavor does not matter really in that subject:

As suggested by knittl, see How can I prevent SQL injection in PHP? for the canonical answer.

edited May 23 '17 at 12:05

Community

1
1

answered Aug 05 '13 at 08:55

Sylvain Leroux

50,096
7
103
125

score 2 · Answer 2 · answered Aug 05 '13 at 08:54

2

The BEST would to use PDO.

Otherwise if you are using the deprecated mysql_* functions; mysql_real_escape_string() is what you are looking for.

answered Aug 05 '13 at 08:54

Eric

18,532
2
34
39

score 1 · Answer 3 · answered Aug 05 '13 at 08:58

1

You cand use a regular expression for testing the input format.

For inserting into DB best would be PDO.

answered Aug 05 '13 at 08:58

George Tzutzu

11
1

score 1 · Answer 4 · answered Aug 05 '13 at 08:58

I would personally make a Regular Expression, take apart each date and time component, and verify that it is actually a good date and time in PHP (not like 2013-25-19 12:72:883). You can use checkdate() to verify that it is actually a date, then check the time based on the expected hour, minute, and second range for time..

Also, it is common to use the PDO extension in PHP to insert into the database.

Prevent sql injection on datetime string input

4 Answers4