-4

Based on http://us.php.net/manual/en/filter.filters.sanitize.php , this looks like a good way for my purposes: 

$filteredVar = filter_var($myVar, FILTER_SANITIZE_STRING);

The strings I will be inserting to my db will be addresses, dates, prices, and product names, all from db or generated by jquery datepicker or google maps api.

user1877124
  • 37
  • 1
  • 8

2 Answers2

0

Why not use prepared Statements. Easier, cleanier and self-maintaining.

$mysqli = new mysqli("","","","");
$mysqli->prepare("SELECT Cols FROM Table WHERE Col=?");
$mysqli->bind_param(...);
Daryl Gill
  • 5,464
  • 9
  • 36
  • 69
0

Please use prepared statements.

CRUD application example for a record creation use-case:

$db = new mysqli();

$name = htmlspecialchars($_REQUEST['product_name']);
$desc = htmlspecialchars($_REQUEST['product_desc']);
$price = htmlspecialchars($_REQUEST['product_price']);

$sql = 'INSERT INTO products (name, description, price) 
    VALUES (?, ?, ?);';
$stmt = $db->prepare();
$stmt->bind_param('ssd', $name, $desc, $price);
$stmt->execute();
SamT
  • 10,374
  • 2
  • 31
  • 39