Saving "Messages" from users in mysql without SQL Injection

Question

I've a script which Takes $_POST['messages'] and then saves the user's messages to MySQL database.

What's the best approach to prevent SQL Injection and saving the messages(which could be alphabets, numbers, special characters) to the Database so that it won't affect the script+databse queries.

I mean, is there any approach to encode the data or change the special characters to encoded characters like ? to %3F so something.

I'm using PHP, MySQL(MySQL PDO Wrapper Class).

Using parameters at your data layer is a good start – geedubb Jan 03 '14 at 14:15 — geedubb, Jan 03 '14 at 14:15

score 0 · Answer 1 · answered Jan 03 '14 at 14:20

0

Try to use

mysql_escape_string($_POST['messages']);

Should work.

answered Jan 03 '14 at 14:20

user3157543

1
2

Saving "Messages" from users in mysql without SQL Injection

1 Answers1