0

I've just converted my code from mysql to mysqli and I used Oracle's converter: https://wikis.oracle.com/display/mysql/Converting+to+MySQLi

It was my understanding from various questions/answers on Stack Overflow that inputs do not need to be sanitised if you are using mysqli. However it appears this isn't the case - even though I'm on mysqli - i can still input something with an inverted comma e.g. what's and it returns the error as it will try to merge anything after the ' with the rest of my code.

Am I doing something wrong? If I still need to sanitise my input values after using mysqli how could I do it?

UPDATE

If I run a function like this on my inputs would that be enough?

function sanitise($str){
  $string = htmlspecialchars($str);
  $string = mysql_real_escape_string($str);
  return $str;
}
Allen S
  • 3,471
  • 4
  • 34
  • 46
  • Where exactly did you see `inputs do not need to be sanitised if you are using mysqli`? – Amal Murali Sep 17 '13 at 11:24
  • Input sanitization: [`mysqli::real_escape_string()`](http://php.net/mysqli-real-escape-string) or prepared statements ([`mysqli_stmt`](http://php.net/mysqli_stmt)). And, yeah, do not trust code converters - if you ask me, I would never trust my code to third party tool. – BlitZ Sep 17 '13 at 11:25
  • @CORRUPT I've updated my question, does that look about right? – Allen S Sep 17 '13 at 11:33

0 Answers0