-1

In my databases I store these values:
- Android GCM registration ID
- IOS identifier for vendor
- Device IMEI
- PHP uniqid

It seems like they have these character sets:
GCM id: AZaz09-_
Identifier for vendor: AZ09-
IMEI: 09
PHP uniqid: az09

I need to sanitize these ids just before saving to database.
So I'm not sure how to sanitize them.
PHP's mysqli_real_escape_string is an option but I prefer solutions like preg_replace('/[^A-Za-z0-9\_]/', '', $deviceid). But does current character sets can change in future ? How can I sanitize them so I can cover future changes ?

trante
  • 33,518
  • 47
  • 192
  • 272

1 Answers1

1

PHP's mysqli_real_escape_string is an option but I prefer solutions like preg_replace

Stop there. It's clear by this statement, your question, and the question tags that you don't understand what escaping is for. Rather than answering your question directly, let me try to explain it.

mysqli_real_escape_string() escapes strings for SQL. All this means is that you can transparently use a string in an SQL statement. That is, the data won't be confused with the command. SQL injection happens when data contains characters making the delimiters between data and commands ambiguous. To avoid SQL injection, data must be separated from the command. One method for this is to escape it.

A better method all around is to use prepared queries. This separates all data from the command, meaning that the data can be anything you want and doesn't require escaping.

See also: https://stackoverflow.com/a/7810880/362536

Community
  • 1
  • 1
Brad
  • 159,648
  • 54
  • 349
  • 530