5

I have a simple classifieds website...

Classifieds are inserted into MySql tables and the only thing I use to sanitize user input is mysql_real_escape_string.

Is this enough?

The PDO is the best way offcourse, but what IS actually the difference between using only mysql_real_escape_string and PDO, in lets say this query:

   SELECT * FROM table_name WHERE table_name.classified = '$classified';

OR

   INSERT INTO table_name (input1, input2) VALUES ('$input1', $input2);

Thanks

  • 1
    Escaping is too easily forgotten. Parameterized queries are an inherently safer *methodology*. (But btw, your examples seem to use neither approach). Another advantage of PDO are potential speed gains. It's currently theoretical, because the PDO MySQL driver still resorts to escaping instead of bound parameters. – mario Nov 08 '10 at 00:08
  • 1
    Unless you really need the database abstraction, you are encouraged to use neither PDO, nor MySql, but MySqli instead. It has support for both: [binding](http://de2.php.net/manual/en/mysqli-stmt.bind-param.php) and [escaping](http://de2.php.net/manual/en/mysqli.real-escape-string.php) – Gordon Nov 08 '10 at 08:26

1 Answers1

2

I think mysql_real_escape_string is enough for storing in the database and warding against any sql injection attack. But other validation is a good idea to have just so that your dataset is more regular and less prone to contain junk.

For presenting any of this data, filtering (ala Drupal style etc. ) It's a good idea too.

dkinzer
  • 32,179
  • 12
  • 66
  • 85