-1

I learned the following method to sanitize data

function sanitize($data)
{
return mysql_real_escape_string( $data);
}

Then the deprecation of some extension within mysql is becoming abit frustrating for beginners that did not know about it, however it is a learning experience to know PHP properly. It is recommended to use mysqli_real_escape_string instead and since this function requires 2 parameters, I have the following

function sanitize($data){

  // 1. Create a database connection
  $db = new mysqli('localhost','root','somepass','secured_login');      
  if($db->connect_errno){
      $connect_error = 'Sorry, we are experiencing connection problems.';   
      die ($connect_error);
  }
   return htmlentities(strip_tags(mysqli_real_escape_string($db, $data)));
}

However, I have been getting the sense that many PHP programmers highly recommend using PDO method instead

My apology for such a long intro my question is... Is it safe to use the modified function sanitize where mysqli_real_escape_string is used instead mysql_real_escape_string?

if not!! then by using PDO I would need to learn OOP PHP instead of procedural. I hope I framed this question correctly. Is mixing both programming orientations (procedural and OOP) frowned upon.

What is the real advantage of using PDO in the longer? Thank you!

user3001162
  • 65
  • 5
  • 3
    Don't! If you're using MySQLi, use prepared statements/bind variables – Mark Baker Jan 29 '14 at 00:08
  • Mark, so I need to disregard using the function sanitize all together and using prepared statements instead when using mysqli, did I get that right – user3001162 Jan 29 '14 at 00:12
  • 2
    Your `sanitize()` function will repeatedly instantiate new database objects. You'd be better passing the database object in as an argument, as in `$result = sanitize($db, $data)`, or something similar. It's unwise to mix OOP and procedural approaches. It might work, but it'll confuse you or someone like you if the code needs to be maintained. –  Jan 29 '14 at 00:13
  • 1
    The *very fact* that you are using `htmlentities` *and* `strip_tags` in *addition* to `mysql_real_escape_string` means **important concepts are not understood**. The functions serve *different purposes*, adding the extra functions does not make anything "more secure". The best approach is to use placeholders, but failing that, use `mysqli_real_escape_string` *directly on the data* before it is used in an SQL string. (`htmlentites` should be used when *outputting HTML*, but not here; `stripslashes` has some cases, but not here or with HTML.) – user2864740 Jan 29 '14 at 00:18
  • user2864740, you mean I should use **mysqli_real_escape_string** instead becasue **mysql_real_escape_string** id deprecated in future PHP versions – user3001162 Jan 29 '14 at 00:22
  • 1
    @user3001162 You [*should* use placeholders](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) and forget about this awful `sanitize` method. (But yes, that was a typo on my part - *avoid* using deprecated methods.) – user2864740 Jan 29 '14 at 00:22

1 Answers1

1

IMHO you have to learn how to use PDO driver to prevent an Headache by reinventing the wheel. With a OOP driver like PDO you can also do cool stuffs simply by extending the class overring some method and changin few lines of code. You can also play with dependency-injected PDO derived Objects. You can change the type of you database by editing the PDO::engine variable.

Plus you can easily prevent SQL iniections of 1st type

CaSUaL
  • 154
  • 6